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Chapter 1: Introduction 



To configure and manage your Blue Coat® Systems SG appliance. Blue Coat developed 
a software suite that includes an easy-to-use graphical interface called the Management 
Console and a Command Line Interface (CLI). The CLI allows you to perform the 
superset of configuration and management tasks; the Management Console, a subset. 

This reference guide describes each of the commands available in the CLI. 

Audience for this Document 

This reference guide is written for system administrators and experienced users who 
are familiar with network configuration. Blue Coat assumes that you have a functional 
network topography, that you and your Blue Coat Sales representative have 
determined the correct number and placement of the SG appliance, and that those 
appliances have been installed in an equipment rack and at least minimally configured 
as outlined in the Blue Coat Installation Guide that accompanied the device. 

Organization of this Document 

This document contains the following chapters: 

Chapter 1 - Introduction 

The organization of this document; conventions used; descriptions of the CLI modes; 
and instructions for saving your configuration. 

Chapter 2 - Standard and Privileged Mode Commands 

All of the standard mode commands, including S5mtax and examples, in alphabetical 
order. All of the privileged mode commands (except for the configure commands, 
which are described in Chapter 3), including S5mtax and examples, in alphabetical 
order. 

Chapter 3 - # Configure Mode Commands 

The #conf igure command is the most used and most elaborate of all of the CLI 
commands. 

Related Blue Coat Documentation 

You can download the following and other Blue Coat documentation in PDF format 
from the Blue Coat Web site at www.bluecoat.com. Note that the documents are on 
WebPower: You must have a WebPower account to access them. 
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Document Conventions 

The following table lists the t 5 rpographical and CLI S 5 mtax conventions used in this 
manual. 



Convention 


Definition 


Italics 

Courier 


font 


The first use of a new or Blue Coat-proprietary term. 

Command-line text that will appear on your administrator workstation. 


Courier 


Italics 


A command-line variable that should be substituted with a literal name or 


Courier 


Boldface 


value pertaining to the appropriate facet of your network system. 
A CLI literal that should be entered as shown. 


u 

[] 

I 




One of the parameters enclosed within the braces must be supplied 
An optional parameter or parameters. 

Either the parameter before or after the pipe character can or must be 
selected, but not both. 



SSH and Script Considerations 

Consider the following when using the CLI during an SSH session or in a script: 

Case Sensitivity. CLI command literals and parameters are not case sensitive. 

Command Abbreviations. You can abbreviate CLI commands, provided you supply 
enough command characters as to be unambiguous. For example: 

SGOS# configure terminal 
Can be shortened to: 

SGOS# conf t 

Standard and Privileged Modes 

The SG appliance CLI has three major modes — standard, privileged, and configure privileged. 
In addition, privileged mode has several subordinate modes. See the introduction in 
Chapter 2: "Standard and Privileged Mode Commands" on page 13 for details about the 
different modes. 

□ Standard mode prompt: > 

□ Privileged mode prompt: # 

□ Configure Privileged mode prompt: # (config) 
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Accessing Quick Command Line Help 

You can access command line help at any time during a session. The following commands 
are available in both standard mode and privileged mode. 



To access a comprehensive list of mode-specific commands: 

Type help or ? at the prompt. 

The help command displays how to use CLI help. For example: 

SGOS> help 

Help may be requested at any point in a command 

by typing a question mark ' ? ' . 

1. For a list of available commands, enter '?' at 
the prompt . 

2 . For a list of arguments applicable to a command, 
precede the '?' with a space (e.g. 'show ?') 

3. For help completing a command, do not precede 

the '?' with a space (e.g. ' sh? ' ) 

The ? command displays the available commands. For example: 



SGOS> ? 
display 
enable 
exit 
help 
ping 
show 

traceroute 



Display a text based url 

Turn on privileged commands 

Exit command line interface 

Information on help 

Send echo messages 

Show running system information 

Trace route to destination 



To access a command-specific parameter list: 

Type the command name, followed by a space, followed by a quesfion mark. 

Nofe fhaf you musf be in fhe correcf mode — sfandard or privileged — fo access fhe 
appropriafe help information. For example, fo gef command complefion help for pcap: 

SGOS# pcap ? 

bridge Setup the packet capture mode for bridges 

filter Setup the current capture filter 



To gef command complefion for configuring fhe fime: 

SGOS# (config) clock ? 

day Set UTC day 

hour Set UTC hour 



To access the correct spelling and syntax, given a partial command: 

Type the first letter, or more, of the command, followed by a question mark (no spaces). 

Note that you must be in the correct mode — standard or privileged — to access the 
appropriate help information. For example: 

SGOS# p? 

pcap ping purge-dns-cache 
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Chapter 2: Standard and Privileged Mode Commands 



This chapter describes and provides examples for the Blue Coat SG appliance standard and privileged 
mode CLI commands. These modes have fewer permissions fhan enabled mode commands. 

□ Privileged Mode Commands 

Privileged mode provides a sef of commands thaf enable you fo view, manage, and change SG 
appliance settings for features such as log files, authentication, caching, DNS, HTTPS, packet 
capture filters, and security. You can cannot configure functionalify such as SSL Proxy, HTTP 
compression, and fhe like. 

The prompt changes from a greafer fhan sign (>) to a pound sign (#), acting as an indicator 
that you are in privileged mode . 

Enter privileged mode from sfandard mode by using fhe enable command: 

SGOS> enable 

Enable Password:******** 

SGOS# 

□ Configuration Mode Commands 

The configure command, available only in enabled mode, allows you to configure fhe Blue 
Coat SG appliance settings from your currenf ferminal session (configure terminal), or by 
loading a fext file of configuration seffings from the network (configure network). Enabled 
Mode commands are discussed in Chapter 3: Privileged Mode Configure 

Commands on page 87. 

The prompt changes from a pound sign (#) to a #(config) prompt, acting as an indicator that 
you are in configuration mode . 

Enter configuration mode from privileged mode by using fhe configure command: 

SGOS# conf t 
SGOS# (config) 

No password is needed to enter enabled mode. 

Standard Mode Commands 

Standard mode is the default mode when you first log on. Erom standard mode, you can view 
but not change configuration settings. This mode can be password protected, but it is not 
required. 

The standard mode prompt is a greater-than sign; for example: 

ssh> ssh -1 username IP_address 
password: ****** 

SGOS> 

Commands available in sfandard mode are: 

> display on page 15 

View the content for the specified URL. 

> enable on page 16 

Changes the mode from Standard to Privileged. 
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Standard Mode Commands 



Standard Mode Commands 



> exit on page 17 

Exits Standard mode. 

> help on page 18 

> ping on page 19 

Verifies that the system at hostname or IP address is active. 

> show on page 20 
Displays system information. 

> traceroute on page 38 

Traces the route to a destination. 
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> display 



> display 



> display 

Synopsis 

Use this command to display the content (such as HTML or Javascript) for the specified URL. This 
content is displayed one screen at a time. " — More — " at the bottom of fhe ferminal screen indicafes 
thaf fhere is addifional code. Press fhe <spacebar> to display the next batch of confenf; press <Enter> 
fo display one addifional line of confent. 

This command is used for general HTTP connecfivify fesfing 

Syntax 

> display url 

where url is a valid, fully-qualified fexf Web address. 

Example 

SGOS> display http://www.bluecoat.com 

10.9.59.243 - Blue Coat SG200>display http://www.bluecoat.com 

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" 

"http : //www . w3 . org/TR/html4/loose . dtd" > 

<HTML> 

<HEAD> 

<TITLE>Blue Coat Systems</TITLE> 

<META http-equiv= " Content -Type " content= "text/html ; charset = iso- 8 859 - 1 " > 

<META NAME=" keywords" CONTENT= " spyware WAN application spyware removal spy ware 
spyware remover application delivery to branch office accelerate performance 
applications remove spyware spyware application delivery secure application 
acceleration control SSL threat anti-virus protection WAN optimization AV 
appliance spyware blocker application acceleration distributed security 
application performance spyware killer spyware WebFilter protection CIFS MAPI 
streaming video Web application security branch offices secure endpoint 
protection SSL policy control remote user acceleration WAN delivery application 
performance WebFilter endpoint security fast WAN policy control spyware detection 
spyware eliminator block endpoint security spyware secure MAPI appliances SSL AV 
policy control stop spyware remove AV appliance SSL proxy Http secure Web 
application acceleration encryption Proxy Internet Proxy Internet Proxy Cache 
security proxy cache proxy server CIFS proxy servers branch office Web proxy 
appliance enterprise data center accelerate WAN and CIFS and MAPI and streaming 
video policy protection blue coat Web proxy Internet Web AV security systems blue 
coat branch office anti-virus performance blue coat remote users WAN performance 
acceleration Internet MAPI monitoring AV endpoint Internet application delivery 
management endpoint protection and security and acceleration of application 
content delivery with policy control Internet CIFS Web application filtering 
content filtering Web filtering web filter WAN filtered internet application 
acceleration" > 
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> enable 



> enable 



> enable 

Synopsis 

Use this command to enter Privileged mode. Privileged mode commands enable you to view and 
change your configuration settings. A password is always required. 

Syntax 

> enable 

The enable command has no parameters or subcommands. 

For More Information 

□ # disable on page 47 

□ #(config) security username on page 302 

□ #(config) security password and hashed_pas sword on page 286 

Example 

SGOS> enable 

Enable Password:****** 

SGOS# conf t 
SGOS (conf ig) 

Where conf t is a shortcut to t5q3ing conf igure terminal. 
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> exit 



> exit 



> exit 

Synopsis 

Use this command to exit the CLI. In privileged and configuration mode, exit returns you to the 
previous prompt. 

Syntax 

> exit 

The exit command has no parameters or subcommands. 

Example 

SGOS> exit 
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> help 



> help 



> help 

See Accessing Quick Command Line Help on page 11 for information abouf fhis command. 



Volume 11: Command Line Interface Reference 



18 



> ping 



> ping 



> ping 

Synopsis 

Use this command to verify whether a particular host is reachable across a network. 

Syntax 

> ping {hostname \ ip_address} 

Subcommands 

> ping hostname 

Specifies the name of the host you want to verify. 

> ping ip_address 

Specifies the IP address you want to verify. 

Example 

SGOS> ping 10.25.36.47 

Type escape sequence to abort . 

Sending 5, 64-byte ICMP Echos to 10.25.36.47, timeout is 2 seconds: 

!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms 
Number of duplicate packets received = 0 
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> show 



> show 



> show 

Synopsis 

Use this command to display system information. You cannot view all show commands, here, only 
those available in the standard mode. You must be in privileged mode to show commands available. 

Syntax 

> show [subcommands] 

Subcommands 



Note: H 5 rperlinked (blue) options contain additional information. 



> show accelerated-pac 

Displays accelerated PAC file information. 

> show access -log on page 25 

Displays the current access log settings. 

> show arp-table 

Displays TCP/IP ARP table information. 

> show bandwidth-gain 

Displays bandwidth gain status, mode, and the status of the "substitute get for get-if-modified-since," 
"substitute get for HTTP 1.1 conditional get," and "never refresh before specified object expiry" features. 

> show bandwidth-management on page 26 

Displays bandwidth management configuration and statistics information. 

> show bridge on page 27 

Displays information about bridging on the system. 

> show caching 

Displays data regarding cache refresh rates and settings and caching policies. 

> show cifs 

Displays CIFS settings 

> show clock 

Displays the current SG appliance time setting. 

> show commands on page 28 

Displays the available CLI commands. 

> show console-services 

Displays information on the console services enabled or disabled on the system. 

> show content-distribution 

Displays the average sizes of objects in the cache. 

> show cpu 

Displays CPU usage. 

> show cpu-monitor 

Displays the state of the CPU monitor. 

> show diagnostics on page 29 

Displays remote diagnostics information. 
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> show 



> show 



> show disk on page 30 

Displays disk information, including slot number, vendor, product ID, revision and serial number, 
capacity, and status, about all disks or a specified disk. 

> show dns 

Displays primary and alternate DNS server data. 

> show download-paths 

Displays downloaded configuration path information, including the policy list, accelerated PAC file, 
HTTP error page, ICP settings, RIP settings, static route table, upgrade image, and WCCP settings. 

> show efficiency 

Displays efficiency statistics by objects and by bytes, as well as information about non-cacheable objects 
and access patterns. 

> show epmapper [statistics] 

Displays proxy settings or statistics. 

> show event-log [configuration] 

Show the event-log configuration. 

> show exceptions on page 31 

Displays all exceptions or just the built-in or user-defined exception you specify. 

> show external -services [statistics] 

Displays external services or external services statistics information. 

> show failover [groupaddress] 

Displays failover settings for the specified group or all groups. 

> show forwarding 

Displays advanced forwarding settings, including download-via-forwarding, health check, and load 
balancing status, and the definition of forwarding hosts/ groups and advanced forwarding rules. 

> show ftp 

Displays the FTP settings on the system. 

> show health-checks 

Displays health check information. 

> show hostname 

Displays the current hostname, IP address, and type. 

> show http 

Displays HTTP configuration information. 

> show http- stats 

Displays HTTP statistics, including HTTP statistics version number, number of connections accepted by 
HTTP, number of persistent connections that were reused, and the number of active client connections. 

> show icp-settings 

Displays ICP settings. 

> show identd 

Displays IDENTD service settings. 

> show im on page 33 
Displays IM information 

> show installed-systems 

Displays SG appliance system information, listing the current five version and release numbers, boot 
and lock status, and timestamp information. 

> show interface {all | interfacenumber} 

Displays interface status and configuration information. 
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> show 



> show 



> show ip-default-gateway 

Specifies the default IP gateway. 

> show ip -route -table 

Displays route table information. 

> show ip-rts-table 

Displays return-to-sender route table information. 

> show ip-stats on page 34 

Displays TCP/IP statistics 

>show licenses 

Displays license information. 

> show mapi 

Displays settings for the MAPI proxy. 

> show netbios 

Displays NETBIOS settings. 

> show ntp 

Displays NTP servers status and information. 

> show p2p [statistics] 

Displays P2P statistics 

> show policy [listing | order [policy] 

Displays current state of the policy. 

> show profile 

Displays the system profile. 

> show resources 

Displays allocation of disk and memory resources. 

> show restart 

Displays system restart settings, including core image information and compression status. 

> show return-to-sender 

Displays "return to sender" inbound and outboimd settings. 

> show rip {default-route | parameters! i^outes j statistics} 

Displays information on RIP settings, including parameters and configuration, RIP routes, and RIP 
statistics. 

> show sessions 

Displays information about the CLI session. 

> show shell 

Displays the settings for the shell, including the maximum connections, the prompt, and the realm- and 
welcome-banners. 

> show snmp 

Displays SNMP statistics, including status and MIB variable and trap information 

> show socks -gateways 

Displays SOCKS gateway settings. 

> show socks-machine-id 

Displays the identification of the secure sockets machine. 

> show socks -proxy 

Displays SOCKS proxy settings. 

> show sources on page 35 

Displays source listings for installable lists, such as the license key, policy files, ICP settings, RIP settings, 
static route table, and WCCP settings files. 
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> show 



> show 



> show ssl on page 36 
Displays ssl settings. 

> show static -routes 

Displays static route table information. 

> show status 

Displays current system status information, including configuration information and general status 
information. 

> show streaming on page 37 

Displays QuickTime, RealNetworks, or Microsoft Windows Media information, and client and total 
bandwidth configurations and usage. 

> show tcp-ip 

Displays TCP-IP parameters. 

> show tcp-rtt 

Displays default TCP round trip time ticks. 

> show terminal 

Displays terminal configuration parameters and subcommands. 

> show timezones 

Displays timezones used. 

> show user-authentication 

Displays Authenticator Credential Cache Statistics, including credential cache information, maximum 
number of clients queued for cache entry, and the length of the longest chain in the hash table. 

> show version 

Displays SG appliance hardware and software version and release information and backplane PIC 
status. 

> show virtual -ip 

Displays the current virtual IP addresses 

> show weep {configuration | statistics} 

Displays WCCP configuration and statistics information. 



Examples 



SGOS> show caching 

Refresh : 

Estimated access freshness is 100.0% 

Let the ProxySG Appliance manage refresh bandwidth 
Current bandwidth used is 0 kilobits/sec 
Policies : 

Do not cache objects larger than 1024 megabytes 
Cache negative responses for 0 minutes 
Let the ProxySG Appliance manage freshness 
FTP caching: 

Caching FTP objects is enabled 

FTP objects with last modified date, cached for 10% of last modified time 
FTP objects without last modified date, initially cached for 24 hours 



SGOS> show resources 

Disk resources : 

Maximum objects supported: 
Cached Objects: 

Disk used by system objects: 
Disk used by access log: 
Total disk installed: 



1119930 

0 

537533440 

0 

18210036736 
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> show 



> show 



Memory resources : 

In use by cache : 

In use by system: 

In use by network: 
Total RAM installed: 



699203584 

83230176 

22872608 

805306368 



SGOS> show failover configuration group_address 

Failover Config 

Group Address: 10.25.36.47 

Multicast Address : 224.1.2.3 

Local Address : 10.9.17.159 

Secret : none 

Advertisement Interval: 40 
Priority : 100 

Current State : DISABLED 

Flags : V M 



Three flags exist, set as you configure the group. 

V — Specifies the group name is a virtual IP address. 

R — Specifies the group name is a physical IP address 

M — Specifies this machine can be configured to be the master if it is available 
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> show 



> show access-log 



> show access-log 

Synopsis 

Displays the current access log settings. 

Syntax 

> show access-log [subcommands] 

Subcommands 

> show access -log default -logging 

Display the access log default policy. 

> show access-log format brief 

Displays the access log format names. 

> show access -log format formatname 

Displays the access log with the specified format_name. 

> show access -log format 

Displays fhe access-log formats for all log types. 

> show access-log log brief 

Displays the access log log names. 

> show access-log log logname 

Displays the access log with the specified log_name. 

> show access-log log 

Displays fhe access-log for all logs. 

> show access-log statistics log_name 

Displays access-log statistics for the specific log_name . 

> show access-log statistics 

Displays all access-log statistics. 

For More Information 

□ Volume 8: Access Logging 

Example 

> show access -log format brief 

Formats : 

squid 

ncsa 

main 

im 

streaming 
websense 
SurfControl 
smart reporter 
surf control v5 

p2p 

ssl 
cif s 
mapi 
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> show 



> show bandwidth-management 



> show bandwidth-management 

Synopsis 

Displays the bandwidth management state (enabled or disabled) or statistics. 

Syntax 

> show bandwidth -management {configuration | statistics} 

Subcommands 

> show bandwidth-management configuration bandwidth_class 

Displays the bandwidth-management configuration for fhe specified bandwidth class . If you do not 
specify a bandwidth class, displays the bandwidth-management configuration for the system. 

> show bandwidth-management statistics bandwidth_class 

Displays the bandwidth-management statistics for fhe specified bandwidfh class. If you do nof specify a 
bandwidth class, displays the bandwidth-management statistics for fhe system. 

For More Information 

□ Volume 5: Advanced Networking 

Example 

> show bandwidth-management configuration 

Bandwidth Management Enabled 
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> show 



> show bridge 



> show bridge 



Synopsis 

Displays bridge configuration and statistics. 

Syntax 

> show bridge [subcommands] 



Subcommands 

> show bridge configuration [bridge_name] 

Displays the bridge configuration for the specified bridge_name or for all interfaces on the system. 

> show bridge fwtable [bridge_name] 

Displays the bridge forwarding table for the specified bridge_name or for all interfaces on the system. 

> show bridge statistics [bridge_name] 

Displays the bridge statistics for the specified bridge_name or for all interfaces on the system. 



For More Information 

□ Volume 1: Getting started 



Example 

> show bridge configuration 

Bridge passthru-0 configuration: 



Interface 0 : 0 




Internet address : 


10.9.59.246 


Internet subnet : 


255.255.255.0 


MTU size: 


1500 


Spanning tree : 


disabled 


Allow intercept: 


enabled 


Reject inbound: 


disabled 


Status : 


autosensed ful 


Interface 0 : 1 




MTU size: 


1500 


Spanning tree : 


disabled 


Allow intercept: 


enabled 


Reject inbound: 


disabled 


Status : 


autosensed no 



100 megabits/sec network 



link 



Chapter 2: Standard and Privileged Mode Commands 



27 



> show 



> show commands 



> show commands 



Synopsis 

Displays the available CLI commands. 

Syntax 

> show commands [subcommands] 



Subcommands 

> show commands delimited [all | privileged] 

Delimited displays commands so they can be parsed. 

> show commands formatted [all | privileged] 

Formatted displays commands so they can be viewed easily. 



Example 



> show commands formatted 

1 ; show 

2 ;access-log 
3 : log 
4 ; brief 

<log-name> 

3 : format 
4 : brief 

< format- name > 

3 : statistics 
<logName> 

3 : default- logging 



Show running system information 
Access log settings 
Show Access log configuration 
Show Access log names 

Show Access log format configuration 
Show Access log format names 

Show Access log statistics 

Show Access log default policy 



> show commands delimited 

1; show; Show running system information; sh; 0 ; 11 
2 ;access-log;Access log settings ; acces ; 0 ; 11 
3; log; Show Access log configuration; 1 ; 0 ; 11 
4;brief;Show Access log names;b;0;ll 
p ; <log-name> ; * ; * ; 0 ; 14 

3 ; format ; Show Access log format configuration; f ; 0 ; 11 
4; brief; Show Access log format names ;b;0; 11 
p ; <f ormat-name> ; * ; * ; 0 ; 14 

3 ; statistics ; Show Access log statistics ; s ; 0 ; 11 
p ; <logName> ; * ; * ; 0 ; 14 

3 ; default- logging; Show Access log default policy ; d; 0 ; 11 
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> show 



> show diagnostics 



> show diagnostics 

Synopsis 

Displays remote diagnostics information, including version number, and whether the Heartbeats 
feature and the SG appliance monitor are currently enabled. 

Syntax 



> show diagnostics configuration 

Displays diagnostics settings. 

> show diagnostics cpu-monitor 

Displays the CPU Monitor results. 

> show diagnostics service- info 

Displays service-info settings. 

> show diagnostics snapshot 

Displays the snapshot configuration. 



> show diagnostics [subcommands] 



Subcommands 



Example 



> show diagnostics snapshot 

Snapshot sysinfo 



Target : 
Status : 
Interval : 
To keep ; 
To take ; 



/ sysinfo 
Enabled 



1440 minutes 
30 

Infinite 



Next snapshot: 2006-03-18 00:00:00 UTC 
Snapshot sysinf o_stats 



Target : 
Status : 
Interval : 
To keep : 
To take : 



/ sysinfo-stats 
Enabled 
60 minutes 
30 

Infinite 



Next snapshot: 2006-03-17 20:00:00 UTC 
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> show 



> show disk 



> show disk 

Synopsis 

Displays disk information, including slot number, vendor, product ID, revision and serial number, 
capacity, and status, about all disks or a specified disk. 

Syntax 

> show disk {disk_number | all} 

Subcommands 

> show disk disk_numher 

Displays information on the specified disk. 

> show disk all 

Displays information on all disks in the system. 



Example 

> show disk 1 

Disk in slot 1 
Vendor : SEAGATE 
Product: ST340014A 
Revision : 8.54 

Disk serial number: 5JVQ76VS 
Capacity: 40020664320 bytes 
Status : present 
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> show 



> show exceptions 



> show exceptions 

Synopsis 

Displays all exceptions or just built-in or user defined exceptions. 

Syntax 

> show exceptions [built-in_id | user-def ined_id] 

For More Information 

□ #(config) exceptions on page 172 

Example 

> show exceptions 

Built-in; 

authent i cat ion_f ailed 

authentication_f ailed_password_expired 

authent i cat ion_mode_not_suppor ted 

authent i cat ion_redirect_from_virtual_host 

authent i cat ion_redirect_off_box 

authent i cat ion_redirect_to_virtual_host 

authent ication_success 

author! zation_f ailed 

bad_c redent ials 

client_f ailure_limit_exceeded 

conf iguration_error 

connect_method_denied 

content_f ilter_denied 

content_f ilter_unavailable 

dns_server_f allure 

dns_unresolved_hostname 

dynamic_bypass_reload 

gateway_error 

icap_communication_error 

icap_error 

internal_error 

invalid_auth_f orm 

invalid_request 

invalid_response 

license_exceeded 

license_expired 

method_denied 

not_implemented 

notify 

notify_missing_cookie 

policy_denied 

policy_redirect 

radius_splash_page 

redirected_stored_requests_not_supported 

refresh 

server_request_limit_exceeded 

silent_denied 

spoof_authentication_error 
ssl_client_cert_r evoked 
ssl domain invalid 
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> show 



> show exceptions 



ssl_f ailed 

ssl_server_cert_expired 
ssl_server_cert_r evoked 
ssl_server_cert_untrusted_issuer 
tcp_error 

transf ormation_error 
unsupported_encoding 
unsupported_protocol 
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> show 



> show im 



> show im 

Synopsis 

Displays Instant Messaging settings. 

Syntax 

> show im [subcommands] 

Subcommands 

> show im configuration 

Displays IM configuration information. 

> show im aol-statistics 

Displays statistics of AOL IM usage. 

> show im msn-statistics 

Displays statistics of MSN IM usage. 

> show im yahoo-statistics 

Displays statistics of Yahoo! IM usage. 

For More Information 

□ Volume 3: Web Communication Proxies. 

Example 

> show im configuration 

IM Configuration 
aol- admin-buddy : 
msn- admin-buddy : 
yahoo-admin-buddy : 
exceptions ; 
buddy- spoof -message : 
http-handoff : 
explicit -proxy-vip : 
aol-native-host : 
aol-http-host : 
aol-direct-proxy-host : 
msn-native-host : 
msn-http-host : 
yahoo-native-host : 
yahoo-http-host : 
yahoo-http-chat-host : 
yahoo-upload-host : 
yahoo-download-host : 



Blue Coat SG 

Blue Coat SG 

Blue Coat SG 

out-of-band 

<none> 

enabled 

<none> 

login . Oscar . aol . com 

aimhttp . oscar . aol . com 

ars . oscar . aol . com 

messenger . hotmail . com 

gateway . messenger . hotmail . com 

scs . msg . yahoo . com 

shttp . msg . yahoo . com 

http . chat . yahoo . com 

filet ransfer . msg . yahoo . com 

.yahoof s . com 
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> show 



> show ip-stats 



> show ip-stats 

Synopsis 

Displays TCP/IP statistics. 

Syntax 

> show ip- stats [subcommands] 

Subcommands 

> show ip-stats all 

Display TCP/IP statistics. 

> show ip- stats interface {all | number} 

Displays TCP/IP statistics for all interfaces or for the specified number (0 
to 7) . 

> show ip- stats ip 

Displays IP statistics. 

> show ip- stats memory 

Displays TCP/IP memory statistics. 

> show ip- stats summary 

Displays TCP/IP summary statistics. 

> show ip- stats tcp 

Displays TCP statistics. 

> show ip- stats udp 

Displays UDP statistics. 

Example 

> show ip- stats summary 

; TCP/IP Statistics 
TCP/IP General Statistics 
Entries in TCP queue: 12 
Maximum entries in TCP queue: 19 
Entries in TCP time wait queue: 0 
Maximum entries in time wait queue: 173 
Number of time wait allocation failures: 0 
Entries in UDP queue: 2 
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> show 



> show sources 



> show sources 

Synopsis 

Displays source listings for installable lists, such as the license key, policy files, ICP settings, RIP 
settings, static route table, and WCCP settings files. 

Syntax 

> show sources [subcommands] 

Subcommands 

> show sources forwarding 

Displays forwarding settings. 

> show sources icp- settings 

Displays ICP settings. 

> show sources license-key 

Displays license information 

> show sources policy {central | local | forward | vpm-cpl | vpm-xml} 

Displays the policy file specified. 

> show sources rip- settings 

Displays RIP settings. 

> show sources socks -gateways 

Displays the SOCKS gateways settings. 

> show sources static-route-table 

Displays the static routing table information. 

> show sources wccp-settings 

Displays WCCP settings. 

Example 

> show sources socks -gateways 

# Current SOCKS Gateways Configuration 

# No update 

# Connection attempts to SOCKS gateways fail: closed 
socks_fail closed 

# 0 gateways defined, 64 maximum 

# SOCKS gateway configuration 

# gateway <gateway-alias> <gateway-domain> <SOCKS port> 

# [version= (4 I 5 [user=<user-name> password=<password>] 

# [request-compression=yes I no] ) ] 

# Default fail-over sequence. 

# sequence <gateway-alias> <gateway-alias> . . . 

# The default sequence is empty. 

# SOCKS Gateways Configuration Ends 
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> show 



> show ssl 



> show ssl 

Synopsis 

Displays SSL settings 

Syntax 

> show ssl {ccl [list_name] \ ssl-client [ssl_client] } 

Subcommands 

> show ssl ccl [list_name] 

Displays currently configured CA certificate lists or configuration for the specified list_name. 

> show ssl ssl-client [ssl_c2ient] 

Displays information about the specified SSL client. 



Example 

> show ssl ssl-client 

SSL-Client Name Keyring Name Protocol 



default <None> SSLv2v3TLSvl 
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> show 



> show streaming 



> show streaming 

Synopsis 

Displays QuickTime, RealNetworks, or Microsoft Windows Media information, and client and total bandwidth 
configurations and usage. 

Syntax 

> show streaming [subcommands] 

Subcommands 

> show streaming configuration 

Displays global streaming configuration. 

> show streaming quicktime {configuration | statistics) 

Displays QuickTime configuration and statistics. 

> show streaming real -media {configuration | statistics) 

Displays Real-Media configuration and statistics. 

> show streaming windows-media {configuration | statistics) 

Displays Windows-Media configuration and statistics. 

> show streaming statistics 

Displays client and gateway bandwidth statistics. 

For More Information 

□ Volume 3: Web Communication Proxies 



> show streaming configuration 

Streaming Configuration 



Example 



max- client -bandwidth: 
max-gateway-bandwidth : 
multicast address: 
multicast port: 
multicast TTL : 



unlimited 

unlimited 

224 . 2 . 128.0 - 224 . 2 . 255.255 
32768 - 65535 
16 
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> traceroute 



> traceroute 



> traceroute 

Use this command to trace the route from the current host to the specified desfinafion hosf. 

Syntax 

> traceroute [subcommands] 

Subcommands 

> traceroute ip_address 

Specifies the IP address of the destination host. 

> traceroute hostname 

Specifies the name of the destination host. 



Example 

SGOS> traceroute 10.25.36.47 

Type escape sequence to abort . 
Tracing the route to 10.25.36.47 
1 10.25.36.47 0 0 0 
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Privileged Mode Commands 



Privileged Mode Commands 



Privileged Mode Commands 

Privileged mode provides a robust set of commands that enable you to view, manage, and change SG 
appliance settings for feafures such as log files, aufhenficafion, caching, DNS, HTTPS, packef capfure 
fillers, and securify. 



Note: The privileged mode subcommand, conf igure, enables you to manage the SG appliance 
features. 
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# acquire-utc 



# acquire-utc 



# acquire-utc 

Synopsis 

Use this command to acquire the Universal Time Coordinates (UTC) from a Network Time Protocol 
(NTP) server. To manage objects, a SG appliance must know the current UTC time. Your SG appliance 
comes pre-populated with a list of NTP servers available on fhe Infernef, and affempfs fo conned fo 
fhem in fhe order fhey appear in fhe NTP server lisf on fhe NTP fab. If fhe SG appliance cannof access 
any of fhe lisfed NTP servers, fhe UTC fime musf be sef manually. For insfrucfions on how fo sef fhe 
UTC fime manually, refer fo Volume 1: Getting Started. 

Syntax 

# acquire-utc 

The acquire-utc command has no paramefers or subcommands. 

Example 

SGOS# acquire-utc 

ok 
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# bridge 



# bridge 



# bridge 

Synopsis 

This command clears bridge data. 

Syntax 

# bridge [subcommands] 

Subcommands 

# bridge dear-statistics hr idge_name 

Clears bridge statistics. 

# bridge clear- fwtable bridge_name 

Clears bridge forward table. 

For More Information 

□ Volume 1: Getting started 

Example 

SGOS# bridge dear-statistics testbridge 
ok 
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# cancel-upload 



# cancel-upload 



# cancel-upload 

Synopsis 

This command cancels a pending access-log upload. The cancel-upload command allows you to stop 
repeated upload attempts if the Web server becomes unreachable while an upload is in progress. This 
command sets log uploading back to idle if fhe log is waiting to retry the upload. If fhe log is in the 
process of uploading, a flag is sef fo fhe log. This flag sefs fhe log back to idle if fhe upload fails. 

Syntax 

# cancel -upload [subcommands] 

Subcommands 

# cancel -upload all 

Cancels upload for all logs. 

# cancel -upload log log_name 

Cancels upload for a specified log. 

For More Information 

□ Volume 8: Access Logging 

Example 

SGOS# cancel-upload all 

ok 
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# clear-arp 



# clear-arp 



# clear-arp 

Synopsis 

The clear-arp command clears the Address Resolution Protocol (ARP) table. ARP tables are used to 
correlate an IP address to a physical machine address recognized only in a local area network. ARP 
provides the protocol rules for providing address conversion between a physical machine address 
(also known as a Media Access Control or MAC address) and its corresponding IP address, and vice 
versa. 

Syntax 

# clear-arp 

The clear-arp command has no parameters or subcommands. 

Example 

SGOS# clear-arp 
ok 
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# dear-cache 



# dear-cache 



# dear-cache 

Synopsis 

This command clears the byte, dns, or object cache. This can be done at any time. However, keep in 
mind that if any cache is cleared, performance slows down until the cache is repopulated. 



Note: #clear-cache with no arguments can also be used to clear the object cache. 



Syntax 

# dear-cache [subcommands] 

Subcommands 

# dear-cache byte-cache 

Clears the byte cache. 

# dear-cache dns-cache 

Clears the DNS cache. 

# dear-cache object-cache 

Sets all objects in the cache to expired. 

Example 

SGOS# dear-cache byte-cache 

ok 



Volume 11: Command Line Interface Reference 



44 



# dear-statistics 



# dear-statistics 



# dear-statistics 

Synopsis 

This command clears the bandwidth-management, persistent, and Windows Media, Real Media, and 
QuickTime streaming statistics collected by the SG appliance. To view streaming statistics from the 
CLI, use either the show streaming {quicktime | real-media | windows -media} statistics or 
the show bandwidth-management statistics [bandwidth_class] commands. To view streaming 
statistics from fhe Managemenf Console, go fo eifher Statistics > Streaming History > Windows 
Media/Real Media/Quicktime, or to Statistics > Bandwidth Mgmt. 

Syntax 

# clear- statistics [subcommands] 

Subcommands 

# clear- statistics bandwidth-management [class class_name] 

Clears bandwidth-management statistics, either for all classes at one time or for the 
bandwidth-management class specified 

# clear- statistics efficiency- 

dears efficiency statistics. 

# clear- statistics epmapper 

Clears Endpoint Mapper statistics. 

# dear-statistics persistent [prefix] 

Clears statistics that persist after a reboot. You can clear all persistent statistics, or, since statistics are kept 
in a naming convention of group ; stat, you can limit the statistics cleared to a specific group. Common 
prefixes include HTTP, SSL, and SOCKS. 

# clear- statistics quicktime 

Clears QuickTime statistics. 

# clear- statistics real -media 

Clears Real Media statistics. 

# clear- statistics windows-media 

Clears Windows Media statistics. 

Example 

SGOS# dear-statistics windows-media 

ok 
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# configure 



# configure 



# configure 

Synopsis 

The privileged mode subcommand configure, enables you to manage the SG appliance features. 

Syntax 

# config t 

Where conf refers fo configure and f refers fo terminal. 

This changes fhe prompt to # (config) . At this point you are in configure terminal mode 
and can make permanent changes to the device. 

# config network url 

This command downloads a previously loaded web-accessible script, such as a configuration 
file, and implemenfs fhe changes in fhe scripf onto fhe sysfem. 

For More Information 

□ Chapfer 3: "Privileged Mode Configure Commands" on page 87 

Example 

# conf n http : //I . 1 . 1 . 1/f conf igure . txt 
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# disable 



# disable 



# disable 

Synopsis 

The disable command returns you to Standard mode from Privileged mode. 

Syntax 

# disable 

The disable command has no parameters or subcommands. 

For More Information 

□ > enable on page 16 

□ # exit on page 50 

Example 

SGOS# disable 
SGOS> 
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# disk 



# disk 



#disk 

Synopsis 

Use the disk command to take a disk offline or fo re-inifialize a disk. 

On a mulfi-disk SG appliance, affer issuing fhe disk reinitialize disk_number command, 
complefe fhe reinifializafion by seffing if fo empfy and copying pre-boof programs, hoof programs and 
sfarfer programs, and sysfem images from fhe masfer disk fo fhe re-inifialized disk. The masfer disk is 
the leftmost valid disk. Valid indicates that the disk is online, has been properly initialized, and is not 
marked as invalid or unusable. 



Note: If the current master disk is taken offline, reinifialized or declared invalid or unusable, fhe 
leffmosf valid disk fhaf has nof been reinitialized since restart becomes the master disk. Thus 
as disks are reinitialized in sequence, a point is reached where no disk can be chosen as the 
master. At this point, the current master disk is the last disk. If this disk is taken offline, 
reinifialized, or declared invalid or unusable, fhe SG appliance is resfarted. 



Reinifializafion is done withouf reboofing fhe SG appliance. The SG appliance operafions, in fum, are 
nof affecfed, alfhough during fhe time fhe disk is being reinitialized, that disk is not available for 
caching. Nofe fhaf only fhe masfer disk reinitialization might restart the SG appliance. 

Syntax 

# disk [subcommands] 



Subcommands 

# disk disk offline disk_number 

Takes the disk specified by disk_number off line. 

# disk disk reinitialize disk_number 

Reinitializes the disk specified by disk_number . 

Example 

SGOS# disk offline 3 

ok 

SGOS# disk reinitialize 3 

ok 
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# display 



# display 



# display 

See > display on page 15 for more information. 
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# exit 



# exit 



# exit 

Synopsis 

Exits from Configuration mode to Privileged mode, from Privileged mode to Standard mode. From 
Standard mode, the exit command closes the CLI session. 

Syntax 

# exit 

The exit command has no parameters or subcommands. 

Example 

SGOS# exit 



Volume 11: Command Line Interface Reference 



50 



# help 



# help 



# help 

See Accessing Quick Command Line Help on page 11 for information about this command. 
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# hide-advanced 



# hide-advanced 



# hide-advanced 

Synopsis 

Use this command to disable advanced commands. 



Note: You can also use the configure command SGOS# (config) hide-advanced {all | 
expand} to hide commands. 



Syntax 

# hide -advanced [subcommands] 

Subcommands 

# hide -advanced all 

Hides all advanced commands. 

# hide -advanced expand 

Disables expanded commands. 

For More Information 

□ # reveal -advanced on page 71 

Example 

SGOS# hide -advanced expand 

ok 

SGOS# hide-advanced all 

ok 



Volume 11: Command Line Interface Reference 



52 



# inline 



# inline 



# inline 

Synopsis 

Installs lists based on your terminal input. 

Discussion 

The easiest way to create installable lists, such as forwarding hosts, PAC files, and policy files, among 
ofhers, is fo fake an existing file and modify if, or fo creafe fhe fexf file on your local sysfem, upload fhe 
file fo a Web server, and download fhe file fo fhe SG appliance. As an alfemafive, you can enfer fhe lisf 
direcfly info fhe SG appliance fhrough fhe inline command, eifher by f5rping fhe lisf line by line or by 
pasfing fhe confenfs of fhe file. 

If you choose fo creafe a fexf file fo confain fhe configuration commands and seffings, be sure fo assign 
fhe file fhe exfension . txt. Use a fexf editor fo creafe fhis file, noting fhe following SG appliance 
configurafion file rules: 

□ Only one command (and any associafed paramefers) permitted, per line 

□ Gommenfs musf begin wifh a semicolon (;) 

□ Gommenfs can begin in any column, however, all characters from fhe beginning of fhe 
commenf fo fhe end of fhe line are considered parf of fhe commenf and, fherefore, are ignored 

Tips: 

□ When enfering inpuf for fhe inline command, you can correcf misfakes on fhe currenf line 
using fhe backspace key. If you cafch a misfake in a line fhaf has already been terminated wifh 
fhe Enfer key, you can aborf fhe inline command by fyping <Gfrl-c>. If fhe misfake is caughf 
affer you ferminafe inpuf fo fhe inline command, you musf re-enfer fhe enfire confenf. 

□ The end-of-inpuf marker is an arbifrary sfring chosen by fhe you fo mark fhe end of inpuf for 
fhe currenf inline command. The sfring can be composed of sfandard characters and numbers, 
buf carmof confain any spaces, puncfuafion marks, or ofher symbols. 

Choose a unique end-of-inpuf sfring fhaf does nof mafch any sfring of characters in fhe 
configurafion informafion. One recommended end-of-inpuf sfring is ' ' ' (fhree single quofes). 

Syntax 

# inline {subcommands] 



Subcommands 

# inline accelerated-pac eof marker 

Updates the accelerated pac file with the settings you include between the beginning eof_marker and 
the ending eof_marker. 

# inline authentication- form form_naine eof_marker 

Install an authentication form from console input 

# inline authentication- forms eof_marker 

Install all authentication form from console input 

# inline banner eof_marker 

Updates the login banner for the telnet and SSH consoles with the settings you include between the 
beginning eof_marker and the ending eof_marker. 
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# inline 



# inline 



# inline exceptions eof_marker 

Install exceptions with the settings you include between the beginning eof_marker and the ending 
eof_marker. 

# inline forwarding eof_marker 

Updates the forwarding configuration with the settings you include between the beginning 
eof_marker and the ending eof_marker. 

# inline icp-settings eof_marker 

Updates the current ICP settings with the settings you include between the beginning eof_marker and 
the ending eof_marker. 

# inline license-key eof_marker 

Updates the current license key settings with the settings you include between the beginning 
eof_marker and the ending eof_marker. 

# inline policy eof_marker 

Updates the current policy settings — central, local, forward, vpm-cpl, and vpm-xml — with the settings 
you include between the beginning eof_marker and the ending eof_marker. 

# inline rip-settings eof_marker 

Updates the current RIP settings with the settings you include between the beginning eof_marker and 
the ending eof_marker. 

# inline socks -gateways eof_marker 

Updates the current SOCKS gateway settings with the settings you include between the beginning 
eof_marker and the ending eof_marker. 

# inline static-route-table eof_marker 

Updates the current static route table settings with the settings you include between the beginning 
eof_marker and the ending eof_marker. 

# inline weep- settings eof_marker 

Updates the current WCCP settings with the settings you include between the beginning eof_marker 
and the ending eof_marker. 



For More Information 

□ man pages for the specific component (weep, acc pac, and the like) 

□ # load on page 57 

Example 

SGOS# inline weep eof 
weep enable eof 

r f t 
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# kill 



#kill 

Synopsis 

Terminates a CLI session. 



Syntax 

# kill session_number 

where session number is a valid CLI session number. 



Example 



start elapsed 

08 Aug 2006 21:27:51 UTC 23:08:04 
10 Aug 2006 20:35:40 UTC 00:00:15 

> enable 
Enable Password: 

#kill 3 
ok 



> show sessions 
Sessions: 

# state t}^e 

01 IDLE 

02 PRIVL ssh 
03=^ NORML ssh 



Chapter 2: Standard and Privileged Mode Commands 



55 



# licensing 



# licensing 



# licensing 

Synopsis 

Use these commands to request or update licenses. 

Syntax 

# licensing [subcommands] 

Subcommands 

# licensing request-key [force) user_id password 

Requests the license key from Blue Coat using the WebPower user ID and password. 

# licensing update-key [force] 

Updates the license key from Blue Coat now. 

# licensing register-hardware [force] user_ID password 

Register hardware with Bluecoat. 

# licensing mark-registered 

Mark the hardware registered manually. 

# licensing disable-trial 

Disable trial period. 

# licensing enable-trial 

Enable trial period. 

For More Information 

□ Volume 1: Getting started 

Example 

SGOS# licensing request-key 

User ID: admin 
Password: ***** 

ok 

where ". . ." represents license download-in-progress information. 
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# load 



# load 

Synopsis 

Downloads installable lists or system upgrade images. These installable lists or settings also can be 
updated using the inline command. 

Syntax 

# load accelerated-pac 

Downloads the current accelerated pac file settings. 

# load authentication- form formname 

Downloads the new authentication form. 

# load authentication- forms 

Downloads the new authentication forms. 

# load exceptions 

Downloads new exceptions. 

# load forwarding 

Downloads the current forwarding settings. 

# load icp-settings 

Downloads the current ICP settings. 

# load license-key 

Downloads the new license key. 

# load policy {central | forward | local | vpm-cpl | vpm-xml} 

Downloads the policy file specified 

# load rip-settings 

Downloads the current RIP settings. 

# load socks -gateways 

Downloads the current SOCKS gateways settings. 

# load sg-client-software 

Loads the SG Client software to the Client Manager. To use this command, you must have previously 
defined an upload location using # (config) sg-client on page 3 1 0 . Messages display as 
the software loads. 

# load static-route-table 

Downloads the current static route table settings. 

# load upgrade [ignore -warnings] 

Downloads the latest system image. The ignore-warnings option allows you to force an upgrade even if 
you receive policy deprecation warnings. Note that using the load upgrade ignore-warnings command 
to force an upgrade while the system emits deprecation warnings results in a policy load failure; all 
traffic is allowed or denied according to default policy. 

# load weep- settings 

Downloads the current WCCP settings. 

# load timezone-database 

Downloads a new time zone database. 



For More Information 

□ # inline on page 53 
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# load 



# load 



Example 

> show download-paths 

Policy 
Local ; 

Forward : 

VPM-CPL: 

VPM-XML: 

Central : https : //download . bluecoat . com/ re lease/ SG3/ files /Central Pol icy . txt 

Update when changed; no 
Notify when changed; no 
Polling interval; 1 day 

Accelerated PAC; 

ICP settings; 

RIP settings; 

Static route table; 

Upgrade image ; 

be serve rl . bluecoat . com/builds/ca_make . 26649/wdir/ 8xx . CHK_dbg 
WCCP settings; 

Forwarding settings; 

SOCKS gateway settings ; 

License key; 

Exceptions ; 

Authentication forms; 

>en 

Enable Password 
# load upgrade 

Downloading from 

"bcserverl . bluecoat . com/builds/ca_make . 26649/wdir/8xx . CHK_dbg" 

Downloading new system software (block 2611) 

The new system software has been successfully downloaded. 

Use "restart upgrade" to install the new system software. 
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# pcap 



# pcap 

Synopsis 

The PCAP utility enables you to capture packets of Ethernet frames enfering or leaving a SG 
appliance. Packef capfuring allows filfering on various affribufes of fhe frame fo limit the amount of 
dafa collecfed. The collecfed dafa can fhen be fransferred fo fhe deskfop for analysis. 



Note: Before using fhe PCAP ufilify, consider fhaf packef capfuring doubles fhe amounf of 
processor usage performed in TCP/IP. 

To view fhe capfured packets, you must have a tool that can read Packet Sniffer Pro 1.1 files. 



Syntax 

# pcap [subcommands] 

Subcommands 

# pcap filter on page 60 

Specifies filters to use for PCAP. 

# pcap info 

Displays the current packet capture information. 

# pcap start on page 62 
Starts the capture. 

# pcap stop 

Stops the capture. 

# pcap transfer full_url/ filename username password 

Transfers captured data to an FTP site. 



For More Information 

□ Volume 9: Managing the Blue Coat SG Appliance. 

Example 1 

Capture transactions among a SG appliance (lO . i . i . i), a server ( 10 . 2 . 2 . 2 ), and a client ( 10 . 1 . 1 . 2 ). 
SGOS# pcap filter expr "host 10.1.1.1 | | host 10.2.2.2 | | host 10.1.1.2" 

Example 2 

This example transfers capfured packefs fo fhe FTP sife 10.25.36.47. Nofe fhaf fhe username and 
password are provided. 

SGOS# pcap transfer ftp://10.25.36.47/path/filename.cap username password 
If fhe folders in fhe pafh do nof exisf, fhey are nof created. An error message is generated. 
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# pcap 



# pcap filter 



# pcap filter 

Synopsis 

After a filter is set, it remains in effect until it is redefined; the filtering properties are persistent across 
reboots. However, PCAP stops when a system is rebooted. 

Syntax 

# pcap filter [subcommands] 



Subcommands 

# pcap filter [direction {in | out | both}] 

Specifies capture in the specified direction. If both is selected, both incoming and outgoing packets are 
captured. The default setting is both. 

# pcap filter [interface adapter_number : inter face_number \ all] 

Specifies capture on the specified interface or on all interfaces. For example, 0:1. The interface number 
must be between 0 and 16. The default setting is all. 

# pcap filter [expr filter_expression] 

Specifies capture only when the filter expression matches. 

# pcap filter 

No filtering specified (captures all packets in both directions — on all interfaces). 

For More Information 

□ Volume 9: Managing the Blue Coat SG Appliance. 

Example 

This example configures packef capfuring in bofh directions, on all inf erf aces, fo or from porf 3035: 

# pcap filter direction both interface all expr "port 3035" 

ok 

To verify fhe settings before sfarfing PCAP, enfer pcap info: 

SGOS# pcap info 

Current state: Stopped 

Filtering: On 

Filter: direction both interface all expr "port 3035" 

Packet capture information: 

Packets captured: 0 

Bytes captured: 0 

Packets written: 0 

Bytes written: 0 

Coreimage ram used: OB 

Packets filtered through: 0 
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# pcap 



# pcap filter 



To start PCAP, enter pcap start. Then run pcap info to view the results of the packet capture. 

SGOS# pcap start 

ok 



SGOS# pcap info 

Current state : Capturing 

Filtering: On 

Filter: direction both interface all expr "port 3035" 

Packet capture information: 

first count 4294967295 capsize 100000000 trunc 4294967295 coreimage 0 



Packets captured: 2842 

Bytes captured: 237403 

Packets written: 2836 

Bytes written: 316456 

Coreimage ram used: OB 

Packets filtered through: 8147 



After PCAP is sfopped (using fhe pcap stop command), enfer pcap info fo view fhe resulfs of your 
PCAP session. You should see resulfs similar fo fhe following: 



SGOS# pcap info 

Current state : Stopped 

Filtering: On 

Filter: direction both interface all expr "port 3035" 



Packet capture information: 



Packets captured: 5101 

Bytes captured: 444634 

Packets written: 5101 

Bytes written: 587590 

Coreimage ram used: OB 

Packets filtered through: 10808 
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# pcap 



# pcap start 



# pcap start 

Synopsis 

Start packet capture. The pcap start options are not persistent across reboots. You must reconfigure 
them if you reboof fhe sysfem. 

Syntax 

# pcap start [subcommands] 



Subcommands 

[buffering -method] 

Synfax: [first | last] { [count <N>] | [capsize <NKB>] } 

The buffering mefhod specifies how capfured packefs are buffered in memory. The amounf of 
packefs buffered cannof exceed a hard limif of 100MB. 

[count] and [capsize] 

The count opfion specifies fhaf fhe buffer limif is confrolled by fhe number of packefs stored 
in fhe buffer. The value of counf musf be between 1 and 1000000. 

The capsize opfion specifies fhaf fhe buffer limif is confrolled by fhe fofal number of byfes of 
packefs sfored in fhe buffer. The capsize value musf be befween 1 and 102400. 



Note: The capsize n option is an approximate command; it captures an approximate 
number of packefs. The acfual size of fhe file written fo disk is a little larger fhan fhe capsize 
value because of exfra packef information such as fime-sfamps. If no paramefers are specified, 
fhe defaulf is fo capfure until fhe stop subcommand is issued or fhe maximum limif reached. 



[first] and [last] 

The first and last opfions affecf fhe buffering behavior when fhe buffer is full. When first 
is specified, PCAP sfops when fhe buffer limif is exceeded. When last is specified, PCAP 
confinues capfuring even after fhe buffer limif has been exceeded. The oldesf capfured packefs 
are removed from buffer fo make space for fhe newly capfured packefs: In fhis way, PCAP 
capfures fhe lasf N (or N K byfes of) packefs. The saved packefs in memory are wriffen fo disk 
when fhe capfure is terminated. 

The packef capfure file size is limited fo 1% of fofal RAM, which mighf be reached before n 
packefs have been capfured. 



Note: The first option is a specific command; if capfures an exacf number of packefs. If 
no paramefers are specified, fhe defaulf is fo capfure unfil fhe stop subcommand is issued or 
fhe maximum limif reached. 



[coreimage n] 

Specifies kilobytes of packets kept in a core image. The core image size must be between 0 and 102400. 
By default, no packets are kept in the core image. 

[trunc n] 

The trunc n parameter collects, at most, n bytes of packets from each frame when writing to disk. The 
range is 1 to 65535. 
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# pcap 



# pcap start 



For More Information 

□ Volume 9: Managing the Blue Coat SG Appliance. 

Example 1 

The following command captures the first 2000 packets that match the filtering expression: 

# pcap start first count 2000 

Note that the first option configures PCAP to stop capturing after the buffer limit of 2000 packets has 
been reached. If the last option had been specified, PCAP keeps capturing packets even after the 
buffer limit had been exceeded, until halted by the pcap stop command. 

Example 2 

The following command stops the capturing of packets after approximately three kilobytes of packets 
have been collected. 

SGOS# pcap start first capsize 3 
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# ping 



# ping 

Synopsis 

Use this command to verify that a particular IP address exists and can accept requests. Ping output 
also tells you the minimum, maximum, and average time it took for fhe ping fesf dafa fo reach fhe 
ofher compufer and refum fo fhe origin. 

Syntax 

# ping {ip_address \ hostname} 

where ip_address is fhe IP address and hostname is fhe hostname of fhe remofe compufer. 

Example 

SGOS# ping 10.25.36.47 

Type escape sequence to abort . 

Sending 5, 64-byte ICMP Echos to 10.25.36.47, timeout is 2 seconds: 

! ! ! ! I 

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms 
Number of duplicate packets received = 0 
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# policy 



# policy 

Synopsis 

Use this command to configure policy commands. 



Note: Configuring fhe policy command fo frace all fransacfions by defaulf can significanfly 
degrade performance and should only be used in sifuafions where a problem is being 
diagnosed. 



Syntax 

# policy trace (all | none} 

Use all fo frace all fransacfions by defaulf, and use none fo specify no fracing excepf as specified 
in policy files. 

Example 

policy trace all 

ok 

All requests will be traced by default; 

Warning: this can significantly degrade performance. 

Use 'policy trace none' to restore normal operation 
SGOS# policy trace none 
ok 
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# purge-dns-cache 



# purge-dns-cache 

Synopsis 

This command clears the DNS cache. You can purge the DNS cache at any time. You might need to do 
so if you have experienced a problem with your DNS server, or if you have changed your DNS 
configurafion. 

Syntax 

# purge-dns-cache 

The purge-dns-cache command has no paramefers or subcommands. 

Example 

SGOS# purge-dns-cache 

ok 
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register-with-director 



register-with-director 

Synopsis 

The register-with-director command is a setup command that automatically registers the SG 
appliance with a Blue Coat Director, thus enabling that Director to establish a secure administrative 
session with the appliance. During the registration process. Director can "lock out" all other 
administrative access to the appliance so that all configuration changes are controlled and initiated by 
Director. 

If your appliance does nof have an appliance cerfificafe, you musf specify fhe regisfrafion password 
fhaf is configured on Direcfor. 

Syntax 

# register-with-director dir_ip_address [appliance_name dir_serial_number] 

Example 

SGOS# register-with-director 192.168.0.x 

Registration Successful 
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# restart 



# restart 

Synopsis 

Restarts the system. The restart options determine whether the SG appliance should simply reboot the 
SG appliance (regular), or should reboot using the new image previously downloaded using the load 
upgrade command (upgrade). 

Syntax 

# restart [subcommands] 

Subcommands 

# restart abrupt 

Reboots the system abruptly, according to the version of the SG appliance that is currently installed. 
Restart abrupt saves a core image. Note that the restart can take several minutes using this option. 

# restart regular 

Reboots the version of the SG appliance that is currently installed 

# restart upgrade 

Reboots the entire system image and allows you to select the version you want to boot, not limited to the 
new version on the system. 

For More Information 

□ # load on page 57 

Example 

SGOS# restart upgrade 

ok 

SGOS# Read from remote host 10.9.17.159: Connection reset by peer 
Connection to 10.9.17.159 closed. 
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# restore-sgos4-config 



# restore-sgos4-config 

Restores the SG appliance to settings last used with SGOS 4.x. The SG appliance retains the network 
settings. Note that a reboot is required to complete this command. 

Syntax 

# restore- sgos4 -config 

Example 

SGOS# restore-sgos4-config 

Restoring SGOS 4.x configuration requires a restart to take effect. 

The current configuration will be lost and the system will be restarted. 
Continue with restoring? (y/n) [n] : y 
Restoring configuration . . . 

Or if there is no SGOS 4.x configuration found: 

SGOS# restore-sgos4-config 

%% No SGOS 4.x configuration is available on this system. 



For More Information 

□ # restore-defaults on page 70 
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# restore-defaults 



# restore-defaults 

Synopsis 

Restores the SG appliance to the default configuration. When you restore system defaults, the SG 
appliance's IP address, default gateway, and the DNS server addresses are cleared. In addition, any 
lists (for example, forwarding or b 5 rpass) are cleared. After restoring system defaults, you need to 
restore the SG appliance's basic network settings, as described in Volume 9: Managing the Blue Coat SG 
Appliance, and reset any customizations. 

Syntax 

# restore-defaults [subcommands] 

Subcommands 

# restore-defaults factory-defaults 

Reinitializes the SG appliance to the original settings it had when it was shipped from the factory 

# restore-defaults force 

Restores the system defaults without confirmation. 

If you don'f use fhe force command, you are prompfed fo enfer yes or no before fhe 
resforafion can proceed. 

# restore-defaults keep-console [force] 

Restores defaults except settings required for console access. Using the keep-console option retains 
the settings for all consoles (Telnet-, SSH-, HTTP-, and HTTPS-consoles), whether they are enable, 
disabled, or deleted. 

If you use fhe force command, you are nof prompfed fo enfer yes or no before resforafion can 
proceed. 

For More Information 

□ Volume 9: Managing the Blue Coat SG Appliance 

Example 

SGOS# restore-defaults 

Restoring defaults requires a restart to take effect. 

The current configuration will be lost and the system will be restarted. 

Continue with restoring? (y/n) [n] : n 
Existing configuration preserved. 
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# reveal-advanced 



# reveal-advanced 

Synopsis 

The reveal -advanced command allows you to enable all or a subset of the advanced commands 
available to you when using the CLI. You can also use SGOS#(config) hide - advanced {all | 
expand} to reveal hidden commands. 

Syntax 

# reveal -advanced [subcommands] 

Subcommands 

# reveal -advanced all 

Reveals all advanced commands. 

# reveal -advanced expand 

Enables expanded commands. 

For More Information 

□ # hide-advanced on page 52 

Example 

SGOS# reveal -advanced all 

ok 
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# show 



# show 

The # show command displays all the show commands available in the standard mode plus the show 
commands available only in privileged mode and configuration mode. Only show commands 
available in privileged mode are discussed here. For show commands also available in the standard 
mode, see > show on page 20. 

Synopsis 

Use this command to display system information. 

Syntax 

# show [subcommands] 

Subcommands 

# show archive-configuration 

Displays archive configuration settings. 

# show adn 

Displays ADN configuration. 

# show attack-detection on page 75 

Displays client attack-detection settings. 

# show configuration on page 7 6 

Displays system configuration. 

# show connection- forwarding 

Displays TCP connection forwarding status and peer IP address list. 

# show content on page 77 

Displays content-management commands. 

# show content- filter {bluecoat | i-filter | intersafe | iwf | local j optenet [ 

proventia | smartfilter | surfcontrol | status | websense | webwasher} 

Shows settings for Blue Coat Web Filter or the various third-party content-filtering vendors. You can get 
information on current content-filtering status by using the # show content-filter status 
command. 

# show proxy- services on page 78 

Displays information on static and dynamic bypass and proxy-service behavior. 

# show realms 

Displays the status of each realm. 

# show security on page 79 

Displays security settings. 

# show ssh on page 80 
Displays SSH settings. 

# show sg-client 

Displays SG Client settings. 

# show ssl on page 81 

Also available in standard mode, the # show ssl command offers more options in privileged mode. 

# show system-resource-metrics 

Displays system resource statistics. 
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# show 



Examples 

# show archive-configuration 

Archive configuration 
Protocol : FTP 
Host : 

Path : 

Filename : 

Username : 

Password: ************ 



Blue Coat 

Database unavailable 



# show content- filter status 

Provider : 

Status : 

Download URL: 

https: //list. bluecoat . com/bcwf /activity/ download/bcwf . db 
Download Username : 

Automatic download: Enabled 

Download time of day (UTC) : 0 

Download on: sun, mon, tue, wed, thu, fri, sat 

Category review message: Disabled 

Dynamic Categorization Service: Enabled 
Dynamic Categorization Mode: Real-time 



Download log: 

Blue Coat download at: Sat, 18 Mar 2006 01:57:24 UTC 

Downloading from https://list. bluecoat . com/bcwf / activity /download/bcwf . db 
Requesting differential update 
Differential update applied successfully 
Download size: 84103448 

Database date: Thu, 09 Feb 2006 08:11:51 UTC 

Database expires: Sat, 11 Mar 2006 08:11:51 UTC 

Database version: 2005040 



# show realms 

Local realm: 

No local realm is defined. 
RADIUS realm: 

Realm name : 

Display name : 

Case sensitivity: 

Primary server host : 

Primary server port : 

Primary server secret : 
Alternate server host: 
Alternate server port: 
Alternate server secret: 
Server retry count: 

Cache duration: 

Virtual URL: 

Server timeout: 

Spoof authentication: 

One time passwords: 

LDAP realm (s) : 

No LDAP realms are defined. 



RADIUSl 

RADIUSl 

enabled 

10.9.59.210 

1812 

'k'k'k'k'k'k'k'k'k'k'k'k 

1812 

************ 

5 

900 

5 

none 

no 
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# show adn 



# show adn 



Synopsis 

Displays ADN settings and statistics. 

Syntax 

# show adn [subcommands] 



Subcommands 

# show adn byte -cache 

Displays ADN byte-cache settings. 

# show adn routing [advertise-internet-gateway | server- subnets] 

Displays ADN routing settings. 

# show adn tunnel 

Displays ADN tunnel configuration. 

For More Information 

□ Volume 5: Advanced Networking 



Example 

# show adn 

Application Delivery Network Configuration: 
ADN: disabled 



Manager port : 
Tunnel port : 
Primary manager : 
Backup manager : 
External VIP: 



3034 

3035 

none 

none 

none 



Byte-cache Configuration: 
Max number of peers: 10347 



Max peer memory: 
Tunnel Configuration: 
proxy-processing http: 
TCP window size: 
ref lect-client-ip : 
Routing Configuration: 
Internet Gateway: 
Exempt Server subnet : 
Exempt Server subnet : 
Exempt Server subnet : 



30 

disabled 

65536 

use-local-ip 

disabled 

10 . 0 . 0 . 0/8 

172 .16.0. 0/16 

192 . 168 . 0 . 0/16 
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# show attack-detection 



# show attack-detection 

Synopsis 

Displays client attack-detection settings and client and server statistics. 

Syntax 

# show attack-detection [subcommands] 

Subcommands 

client [blocked | connections | statistics] 
Displays client attack-detection settings. 

client configuration 

Displays attack-detection configuration. 

server [statistics] 

Displays server statistics 

For More Information 

□ Volume 5: Advanced Networking 
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# show configuration 



# show configuration 

Synopsis 

Displays the current configuration, as different from fhe defaulf configuration. 

Syntax 

# show configuration [subcommands] 

Subcommands 

# show configuration 

Displays all settings 

# show configuration brief 

Displays the configuration without inline expansion. 

# show configuration expanded 

Displays the configuration with inline expansion. 

# show configuration noprompts 

Displays the configuration without - -More - - prompts. 

# show configuration post-setup 

Displays the configuration made after console setup. 

Example 

Assuming non-default settings of: 

□ policy = <Proxy> DENY 

□ IP address of 10.167.42.38 

# show configuration brief 

interface 0:0 ;tnode 
ip-address 10.167.42.38 
exit 

# show configuration expanded 

interface 0:0 ;mode 
ip-address 10.167.42.38 
exit 
1 

inline policy local "end-326998078-inline" 

< Proxy > 

DENY 

end- 326998078 -inline 
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# show content 



# show content 

Synopsis 

Displays content-management commands. 

Syntax 

# show content [subcommands] 

Subcommands 

# show content outstanding-requests 

Displays the complete list of outstanding asynchronous content revalidation and distribute requests; 

# show content priority [regex regex | url uri] 

displays the deletion priority value assigned to the regex or url, respectively 

# show content url url 

Displays statistics of the specified URL. 

For More Information 

□ Volume 7; Managing Content 
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# show proxy-services 



# show proxy-services 

Synopsis 

Information about proxy services 

Syntax 

# show proxy- services [subcommands] 

Subcommands 

# show proxy- services 

Displays all proxy services configured on the system. 

# show proxy- services dynamic -bypass 

Displays dynamic-bypass information. 

# show proxy- services services bypass 

Display services containing a bypass action. 

# show proxy- services services intercept 

Display services containing an intercept action. 

# show proxy- services services name 

Display services with name substring match. 

# show proxy- services services proxy 

Display services using a specific proxy. 

# show proxy- services static-bypass 

Displays static-bypass information. 

For More Information 

□ Volume 2: Proxies and Proxy Services 
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# show security 



# show security 

Synopsis 

Displays information about security parameters. 

Syntax 

# show security [subcommands] 



Subcommands 

# show security 

Displays all security settings on the system. 

# show security authentication- errors 

Displays all authentication errors. 

# show security authentication- forms 

Displays authentication forms configured on the system. 

# show security local -user- list 

Displays the local user list configured on the system. 

# show security local -user- list-group 

Displays the groups in local user list. 

# show security local -user- list-user 

User in local user list 

For More Information 

□ Volume 4: Securing the Blue Coat SG Appliance 

Example 

# show security 

Account : 

Username: "admin" 

Hashed Password: $l$it$24YXwuAGbmvQ17zhaeG5u. 

Hashed Enable Password: $l$UlJZbCll$itmTNhAwhymF2BNwBnuml/ 
Hashed Front Panel PIN: " $l$50KI$KR0RtYxQ102Z26cLy . Pq5 . " 
Management console display realm name: "" 

Management console auto-logout timeout: 900 seconds 
Access control is disabled 
Access control list (source, mask) : 

Flush credentials on policy update is enabled 
Default authenticate . mode : auto 
Transparent proxy authentication: 

Method: cookie 
Cookie type: session 

Cookie virtual -url: "www.cfauth.com/" 

IP time-to- live : 15 
Verify IP: yes 
Allow redirects: no 



Chapter 2: Standard and Privileged Mode Commands 



79 



# show 



# show ssh 



# show ssh 

Synopsis 

Displays the SSH service details. 

Syntax 

# show ssh [subcommands] 

Subcommands 

# show ssh client-key [username] 

Displays the client key fingerprint for the specified username. 

Note: If you upgraded from an older version of the SG appliance, you might not need to enter a 
username. 

# show ssh director-client-key [key_id] 

Displays all client key fingerprints or the client key fingerprint of the specified key ID. 

# show ssh host-public-key [sshvl | sshv2] 

Displays the sshvl or sshv2 host public key. Both keys are displayed if you do not specify a version. 

# show ssh user-list 

Displays a list of users with imported RSA client keys. 

# show ssh versions-enabled 

Displays which SSH version or versions are enabled. 

For More Information 

□ Volume 1: Getting started 

□ Volume 2: Proxies and Proxy Services 

Example 

# show ssh versions-enabled 

SSHv2 is enabled. 
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# show 



# show ssl 



# show ssl 

Synopsis 

Displays SSL settings. 

Syntax 

# show ssl [subcommands] 

Subcommands 

# show ssl ca-certif icate name 

Displays the CA certificate configuration 

# show ssl ccl [list_name] 

Displays currently configured CA certificate lists or configuration for fhe specified list_name. This 
option can also be viewed from standard mode. 

# show ssl certificate keyring_id 

Displays the certificate configuration for the specified keyring. 

# show ssl crl crl_id 

Displays fhe SSL cerfificafe Revocation List (CRL) of the specified ID. 

# show ssl external-certificate name 

Displays external certificate configuration of fhe specified name. 

# show ssl intercept 

Displays fhe SSL intercepf configuration. 

# show ssl key-pair {des | des3 [ unencrypted} keyring_id 

Displays the keypair. If you wanf fo view the keypair in an encrypted format, you can optionally specify 
des or des3 before fhe keyringID. If you specify eifher des or des 3, you are prompted for the 
challenge entered when the keyring was created. 

# show ssl keyring [keyring_id] 

Displays all keyrings or the keyring of the specified ID. 

# show ssl secure-signing-request keyring'_id 

Displays signed certificate signing request for the specified keyring. 

# show ssl signing-request keyring_id 

Displays fhe certificate signing request configuration for the specified keyring. 

# show ssl ssl-client [ssl_client] 

Displays information about all SSL clients or the specified SSL clienf. This option can also be viewed 
from standard mode. 

# show ssl s si -nego- timeout 

Displays the SSL negotiation timeout configuration. 

# show ssl summary {ca-certif icate | crl | external-certificate} 

Displays the SSL summary information for CA cerfificafes, CRLs, or external certificates. 

For More Information 

□ Volume 2: Proxies and Proxy Services 
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# show 



# show ssl 



Example 

# show ssl keyring 

KeyringID : conf iguration-passwords-key 
Is private key showable? yes 
Have CSR? no 
Have certificate? no 
KeyringID: default 

Is private key showable? yes 

Have CSR? no 

Have certificate? yes 

Is certificate date range valid? yes 

CA: Blue Coat SG200 Series 

Expiration Date: Mar 02 22:25:32 2016 GMT 

Fingerprint : B2 : DE : C4 : 98 : 58 : 18 : 3C : E3 : B3 : 4A : 1C : FC : AB : B5 : A4 : 74 
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# temporary-route 



# temporary-route 



# temporary-route 

This command is used to manage temporary route entries. After a reboot these routes are lost. 

Syntax 

# temporary- route [subcommands] 

Subcommands 

# temporary- route add destination_address netmask gateway_address 

Adds a temporary route entry. 

# temporary- route delete destination_address 

Deletes a temporary route entry. 
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# test 



# test 



# test 

This command is used to test subsystems. A test http get command to a particular origin server or 
URL, for example, can verify Layer 3 connecfivify and also verify upper layer funcfionalify. 

Syntax 

# test http [subcommands] 

Subcommands 

# test http get uri 

Does a test Get of an HTTP object specified by urI. 

# test http loopback 

Does a loopback test. 

Example 

SGOS# test http loopback 

Type escape sequence to abort . 

Executing HTTP loopback test 

Measured throughput rate is 16688.96 Kbytes/sec 
HTTP loopback test passed 

SGOS# test http get http://www.google.com 

Type escape sequence to abort . 

Executing HTTP get test 

# HTTP request header sent : 

GET http://www.google.com/ HTTP/ 1.0 
Host: www.google.com 
User-Agent: HTTP_TEST_CLIENT 

# HTTP response header reev'd: 

HTTP/ 1.1 200 OK 
Connection: close 

Date: Tue, 15 Jul 2003 22:42:12 GMT 

Cache - control : private 

Content-Type: text/html 

Server: GWS/2.1 

Content -length: 2691 

Set-Cookie : 

PREF=ID=500ccdel707c20ac :TM=1058308932 :LM=1058308932 :S=du3WuiW7FC_lJ 
Rgn; expires=Sun, 17-Jan-2038 19:14:07 GMT; path=/; domain= . google . com 
Measured throughput rate is 66.72 Kbytes/sec 
HTTP get test passed 
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# traceroute 



# traceroute 



# traceroute 

Use this command to trace the route to a destination. The traceroute command can be helpful in 
determining where a problem might lie between two points in a network. Use traceroute to trace the 
network path from a SG appliance back fo a client or to a specific origin Web server. 

Nofe fhat you can also use fhe frace roufe command from your client station (if supporfed) fo frace fhe 
network path between the client, a SG appliance, and a Web server. Microsoft operating systems 
generally support the trace route command from a DOS prompf. The S5mfax from a Microsoff -based 
clienf is: tracert [ip | hostname]. 



Syntax 

# traceroute [subcommands] 

Subcommands 

# traceroute IP_address 

Indicates the IP address of the client or origin server. 

# traceroute hostname 

Indicates the hostname of the origin server. 

Example 

SGOS# traceroute 10.25.36.47 

Type escape sequence to abort . 

Executing HTTP get test 

HTTP response code: HTTP/1.0 503 Service Unavailable 

Throughput rate is non-deterministic 

HTTP get test passed 

10.25.36.47# traceroute 10.25.36.47 

Type escape sequence to abort . 

Tracing the route to 10.25.36.47 
1 10.25.36.47 212 000 
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# upload 



# upload 



# upload 

Uploads the current access log or running configuration. 

Syntax 

# upload {subcommands} 

Subcommands 

# upload access-log all 

Uploads all access logs to a configured host. 

# upload access-log log log_name 

Uploads a specified access log to a configured host. 

# upload configuration 

Uploads running configuration to a configured host. 

Example 

SGOS# upload configuration 

ok 
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Chapter 3: Privileged Mode Configure Commands 



Configure Commands 

The configure command allows you to configure the Blue Coat SG appliance settings from your 
current terminal session (conf igure terminal), or by loading a text file of configuration settings from 
the network (configure network). 

Syntax 

configure {terminal | network uri} 
conf igure_command 
conf igure_command 



where conf igure_command is any of the configuration commands in this document. T5rpe a question 
mark after each of these commands for a list of subcommands or options with definitions. 
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#(config) accelerated-pac 



#(config) accelerated-pac 



#(config) accelerated-pac 

Synopsis 

Set the path to download PAC files. 

Discussion 

Normally, a Web server serves the Proxy Auto-Configuration (PAC) file fo clienf browsers. This feafure 
allows you fo load a PAC file onfo fhe SG appliance for high performance PAC file serving righf from 
fhe device. There are fwo ways fo creafe an accelerafed PAC file: 

□ customize fhe defaulf PAC file and save if as a new file 

□ Creafe a new cusfom PAC file. 

In eifher case, if is imporfanf fhaf fhe clienf insfrucfions for configuring SG appliance settings confain 
fhe URL of fhe Accelerafed-PAG file. Glienfs load PAG files from: 

https : / / SG_IP_Address : 8082/accelerated pac base . pac . 

Syntax 

#(config) accelerated-pac no path 

Clears the network path to download PAC file. 

#(config) accelerated-pac path uri 

Specifies the location to which the PAC file should be downloaded. 



For More Information 

□ # inline on page 53 

□ # load on page 57 

□ Volume 2: Proxies and Proxy Services 

Example 

#(config) accelerated-pac path url 
#(config) load accelerated-pac 
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#(config) access-log 



#(config) access-log 



#(config) access-log 

Synopsis 

The SG appliance can maintain an access log for each HTTP request made. The access log can be stored 
in one of three formats, which can be read by a variety of reporting utilities. 

Syntax 

#(config) access-log 
This changes the prompt to: 

#(config access-log) 

Subcommands 

#(config access-log) create log log_name 
Creates an access log. 

#(config access-log) create format forma t_name 
Creates an access log format. 

#(config access-log) cancel -upload all 
Cancels upload for all logs. 

#(config access-log) cancel-upload log log_name 
Cancels upload for a log 

#(config access-log) default- logging {cifs | epmapper | ftp | http | 

https- forward-proxy | https-reverse-proxy | icp | im | mapi | imns | p2p | rtsp 
I socks I ssl I tcp-tunnel | telnet} log_name 
Sets the default log for the specified protocol. 

#(config access-log) delete log log_name 
Deletes an access log. 

#(config access-log) delete format forma t_name 
Deletes an access log format. 

#(config access-log) disable 
Disables access logging. 

#(config access-log) early-upload megabytes 

Sets the log size in megabytes that triggers an early upload. 

#(config access-log) edit log log_name — changes the prompt (see # (con fig log log_name) 
on page 92) 

#(config access-log) edit format forma t_name — changes the prompt (see # (config format 
formatname) on page 96) 

# (config access-log) enable 
Enables access logging. 

# (config access-log) exit 

Exits # (config access-log) mode and returns to # (config) mode. 

# (config access-log) max-log-size megabytes 
Sets the maximum size in megabytes that logs can reach. 
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#(config) access-log 



#(config) access-log 



#(config access-log) no default-logging {cifs | epmapper | ftp | http | 

https- forward-proxy | https-reverse-proxy | icp | im | mapi | mms | p2p | rtsp 
I socks I ssl I tcp-tunnel | telnet} 

Disables default logging for the specified protocol. 

#(config access-log) overflow-policy delete 
Deletes the oldest log entries (up to the entire log). 

#(config access-log) overflow-policy stop 
Stops access logging until logs are uploaded. 

#(config access-log) upload all 
Uploads all logs. 

#(config access-log) upload log log_name 
Uploads a log. 

#(config access-log) view 
Shows access logging settings. 

#(config access-log) view [log [brief | log_name]] 

Shows the entire access log configuration, a brief version of the access log configuration, or the 
configuration for a specific access log. 

#(config access-log) view [format [brief | forma t_name] ] 

Shows the entire log format configuration, a brief version of the log format configuration, or the 
configuration for a specific log format. 

#(config access-log) view [statistics [log_name]] 

Shows access log statistics for all logs or for the specified log. 

#(config access-log) view [default- logging] 

Shows the access log default policy 

For More Information 

□ Volume 5: Advanced Networkingg 

□ Volume 8: Access Logging 

Example 

SGOS# (config) access-log 

SGOS#(config access-log) create log test 
ok 

SGOS# (config access-log) max-log-size 1028 
ok 

SGOS# (config access-log) overflow-policy delete 
ok 

View the results. (This is a partial output.) 

SGOS# (config access-log) view log 
Settings : 

Log name : main 
Format name : main 
Description : 

Logs uploaded using FTP client 
Logs upload as gzip file 

Wait 60 seconds between server connection attempts 
FTP client: 

Filename format: SG_%f_%l%m%d%H%M%S . log 
Filename uses utc time 
Use PASV: yes 
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#(config) access-log 



#(config) access-log 



Use secure connections: no 
Primary host site: 

Host : 

Port: 21 
Path: 

Username : 

Password: ************ 
Alternate host site: 

Host : 

Port: 21 
Path : 
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#(config) access-log 



#(config log log_name) 



#(config log log_name) 

Synopsis 

Use these commands to edit an access log. 

Syntax 

#(config) access-log 
This changes the prompt to: 

#(config access-log) 

#(config access-log) edit log log_name 
This changes the prompt to: 

#(config log log_name) 

Subcommands 

#(config log log_name) bandwidth-class bwm_class_name 
Specifies a bandwidth-management class for managing the bandwidth of this log.In order to 
bandwidth-manage this log, bandwidth management must be enabled. Bandwidth management is 
enabled by default. 



Note: You must also create a bandwidth class for this access log (in bandwidth-management 

mode) before you can select it here. See # (conf ig) bandwidth-management on page 117 for more 
information 



#(config log log_name) client-type custom 
Uploads log using the custom client. 

#(config log log_name) client-type ftp 
Uploads log using the FTP client. 

#(config log log_name) client-type http 
Uploads log using the HTTP client. 

#(config log log_name) client-type none 
Disables uploads for this log 

#(config log log_name) client-type websense 
Uploads log using the Websense client. 

#(config log log_name) commands cancel -upload 
Disables uploads for this log. 

#(config log log_name) commands close-connection 
Closes a manually opened connection to the remote server. 

#(config log log_name) commands delete-logs 
Permanently deletes all access logs on the SG appliance. 

#(config log log_name) commands open -connect ion 
Manually opens a connection to the remote server. 

#(config log log_name) commands rotate-remote-log 
Switches to a new remote log file. 

#(config log log_name) commands send-keep-alive 
Sends a keep-alive log packet to the remote server. 
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#(config) access-log 



#(config log log_name) 



#(config log log_name) commands test-upload 

Tests the upload configuration by uploading a verification file. 

#(config log log_name) commands upload-now 
Uploads access log now. 

#(config log log_name) connect-wait- time seconds 
Sets time to wait between server connect attempts. 

#(config log log_name) continuous-upload 

#(config log log_name) continuous -upload enable 
Uploads access log continuously to remote server. 

#(config log log_name) continuous -upload keep-alive seconds 
Sets the interval between keep-alive log packets 

#(config log log_name) continuous -upload lag- time seconds 
Sets the maximum time between log packets (text upload only). 

#(config log log_name) continuous -upload rotate-remote {daily rotation_hour 
(0-23) I hourly hours [minutes] } 

Specifies when to switch to new remote log file. 

#(config log log_name) custom-client alternate hostname [port] 

Configures the alternate custom server address. 

#(config log log_name) custom-client primary hostname [port] 

Configures the primary custom server address. 

#(config log log_name) custom-client secure (no | yes} 

Selects whether to use secure connections (SSL). The default is no. If yes, the hostname must match the 
hostname in the certificate presented by the server. 

#(config log log_name) description description 
Sets the log description. 

#(config log log_name) early-upload megabytes 
Sets log size in megabytes that triggers an early upload. 

#(config log log_name) encryption certificate certificate_name 
Specifies access-log encryption settings. 

#(config log log_name) exit 

Exits # (config log I og_name] mode and returns to # (config access-log) mode. 

#(config log log_name) format-name format_name 
Sets the log format. 

# (config log log_name) ftp-client alternate { encrypted-password 

encrypted_password \ host hostname [port] | password password | path path | 
username username} 

Configures the alternate FTP host site. 

# (config log log_name) ftp-client filename format 
Configures the remote filename format 

# (config log log_name) ftp-client no (alternate | filename | primary} 

Deletes the remote filename format or the alternate or primary host parameters. 

# (config log log_name) ftp-client pasv (no | yes} 

Sets whether PASV or PORT command is sent. 

# (config log log_name) ftp-client primary (encrypted-password encrypted_password 
I host hostname [port] | password password | path path | username username} 
Configures the primary FTP host site. 
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#(config) access-log 



#(config log log_name) 



#(config log log_name) ftp-client secure {no | yes} 

Selects whether to use secure connections (FTPS). The default is no. If yes, the hostname must match 
the hostname in the certificate presented by the server. 

#(config log log_name) ftp-client time- format (local | utc} 

Selects the time format to use within upload filename. 

#(config log log_name) http-client alternate { encrypted-password 

encrypted_password \ host hostname [port] | password passn^ord | path path | 
username username} 

Configures the alternate HTTP host site. 

#(config log log_name) http-client filename format 
Configures the remote filename format. 

#(config log log_name) http-client no (alternate | filename | primary} 

Deletes the remote filename format or the alternate or primary host parameters. 

#(config log log_name) http-client primary { encrypted-password encrypted_password 
I host hostname [port] | password password \ path path | username username} 
Configures the primary HTTP host site. 

#(config log log_name) http-client secure (no | yes} 

Selects whether to use secure connections (HTTPS). The default is no. If yes, the hostname must match 
the hostname in the certificate presented by the server 

#(config log log_name) http-client time-format (local | utc} 

Selects the time format to use within upload filename. 

#(config log log_name) no (encryption | bandwidth-class | signing} 

Disables access-log encryption, bandwidth management, or digital signing for this log. 

#(config log log_name) periodic-upload enable 
Uploads access log daily/hourly to remote server. 

#(config log log_name) periodic-upload upload- interval { daily upIoad_hour (0-23) 

I hourly hours [minutes] } 

Specifies access log upload interval. 

#(config log log_name) remote-size megabytes 
Sets maximum size in MB of remote log files. 

#(config log log_name) signing heyring_id 
Specifies the keyring to be used for digital signatures. 

#(config log log_name) upload-type (gzip | text} 

Sets upload file type (gzip or text). 

#(config log log_name) view 
Shows log settings. 

#(config log Iog_name) websense-client 
Configures the alternate websense server address. 

#(config log log_name) websense-client alternate hostname [port] 

Configures the alternate websense server address. 

#(config log log_name) websense-client no (primary | alternate} 

Deletes the primary or alternate websense server information. 

#(config log log_name) websense-client primary hostname [port] 

Configures the primary websense server address. 

For More Information 

□ #(config) access-log on page 89 
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#(config) access-log 



#(config log log_name) 



□ Volume 8: Access Logging 

Example 

SGOS# (config) access-log 

SGOS# (config access-log) edit log testlog 
SGOS# (config log testlog) upload-type gzip 
ok 

SGOS# (config log testlog) exit 
SGOS# (config access-log) exit 
SGOS# (config) 
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#(config) access-log 



#(config format format_name) 



#(config format format_name) 

Synopsis 

Use these commands to edit an access log format. 

Syntax 

#(config) access-log 
This changes the prompt to: 

#(config access-log) edit format format_name 
This changes the prompt to: 

#(config format format_name) 

Subcommands 

#(config format format_name) exit 

Exits # (config format forma t_nafne) mode and returns to #(config access-log) mode. 

#(config format format_name) multi-valued-header-policy log-all-headers 
Sets multi-valued header policy to log all headers. 

# (config format format_name) multi-valued-header-policy log- first-header 
Sets multi-valued header policy to log the first header. 

# (config format format_name) multi-valued-header-policy log-last-header 
Sets multi-valued header policy to log the last header. 

# (config format format_name) type custom format_string 
Specifies custom logging format. 

# (config format format_name) type Biff format_string 
Specifies W3C extended log file format. 

# (config format format_name) view 
Shows the format settings. 



For More Information 

□ # (config) access-log on page 89 

□ Volume 8: Access Logging 

Example 

SGOS# (config) access-log 

SGOS# (config access-log) edit format testformat 

SGOS# (config format testformat) multi-valued-header-policy log-all -headers 
ok 

SGOS# (config format testformat) exit 
SGOS# (config access-log) exit 
SGOS# (config) 
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#(config) adn 



#(config) adn 



#(config) adn 

Synopsis 

ADN optimization allows you to reduce the amount of tunneled TCP traffic across a WAN by means 
of an overlay nefwork called an Application Delivery Network, or ADN. SG devices that participate in 
the ADN utilize byte caching technology, which replaces large chunks of repeafed dafa wifh small 
tokens representing that data. SG devices in the ADN also use gzip compression to further reduce the 
amount of data flowing over fhe WAN. 

Syntax 

SGOS# (conf ig) adn 
The prompf changes to 
SGOS#(config adn) 

Subcommands 

SGOS# (config adn) byte-cache 

Configures byte caching parameters. The prompt changes to SGOS# ( conf ig adn byte - cache ) 
SGOS# (config adn byte -cache) exit 

Exits the SGOS# (conf ig adn byte-cache) submode and returns to SGOS# (config adn) 
mode. 

SGOS# (config adn byte-cache) peer-size peer-id { size_in_megabytes j auto} 
Manually sets the amount of memory used to keep track of the byte-cache hash table. Generally, 
the d5mamic settings are acceptable; you do not need to change the dictionary size. Only if 
you defermine fhaf fhe algorithm performance does nof guarantee a sufficient dictionary 
size for a specific peer should you manually sef fhe dictionary size. 

SGOS# (config adn byte-cache) view 

Views the current configuration of the byte caching parameters. 

SGOS# (config adn) {enable | disable} 

Enables or disables the ADN optimization network. 

SGOS# (config adn) exit 

Exits the SGOS# (conf ig adn) submode and returns to SGOS# (conf ig) mode. 

SGOS# (config adn) load-balancing 

Configures load-balancing parameters. The prompt changes to SGOS# ( conf ig adn 
load-balancing) . 

SGOS# (config adn load-balancing) {enable | disable} 

Enables or disables load-balancing functionality. 

SGOS# (config adn load-balancing) exit 

Exits the submode and returns to SGOS# ( config adn) mode. 

SGOS# (config adn load-balancing) external-vip IP_address 

Sets the external VIP. The same VIP must be configured on each SG appliance in the cluster, and the 
VIP must exist on an external load balancing device. The external VIP is used in explicit external 
load balancing. 

SGOS# (config adn load-balancing) group group_name 

Sets the group name for an ADN group. Groups are used in transparent load balancing. 

SGOS# (config adn load-balancing) load-balance-only {enable | disable) 

Specifies whether the node can take participate in load balancing (disable) or if it acts as a load 
balancer only (enable). 
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#(config) adn 



#(config) adn 



SGOS# (config adn load-balancing) no jexternal-vip | group) 

Removes the external VIP or group name. 

SGOS# (config adn load-balancing) view 
Views the load-balancing configuration. 

SGOS# (config adn) manager 

Configures manager parameters. The prompt changes to SGOS# (config adn manager) . 

SGOS# (config adn manager) approved-peers 

Configures approved-peers. The prompt changes to SGOS# (config adn approved-peers) . 

SGOS# (config adn approved-peers) add peer- serial -number 

SGOS# (config adn approved-peers) exit 

Exits the SGOS# ( config adn approved-peers) submode and returns to SGOS# (config 
adn manager) mode. 

SGOS# (config adn approved-peers) view [approved-peers | backup -manager -id 
I pending-peers | primary-manager-id] 

Views the list of approved devices and connections, as well as the device ID of fhe ADN 
manager and backup manager. 

SGOS# (config adn manager) backup -manager (IP_address [device_id] j self 

Defines the backup ADN manager. While optional, defining a backup ADN manager is highly 
recommended. If the primary ADN manager goes offline for any reason, routing updates are no 
longer available which prevent nodes from learning when ofher nodes enfer and leave the network. 
Existing route information is still retained by the peers, however. 

SGOS# (config adn manager) exit 

Exits the SGOS# (config adn manager) submode and returns to SGOS# (config adn) mode. 

SGOS# (config adn manager) no {backup -manager | primary-manager} 

Clears the IP address of fhe specified ADN manager or backup manager. 

SGOS# (config adn manager) pending-peers 

Configures pending peers. The prompt changes to SGOS# ( conf ig adn pending-peers ) 

SGOS# (config adn pending-peers) (accept | reject) (device-id | all) 

Allows or denies a specific peer or all peers thaf want to join a network. 

SGOS# (config adn pending-peers) (enable | disable) 

Enables or disables the pending-peers functionality. 

SGOS# (config adn pending-peers) exit 

Exits the SGOS# (conf ig adn pending-peers) submode and returns to SGOS# (config 
adn manager) mode. 

SGOS# (config adn pending-peers) view 

Views the list of pending devices and connections. 

SGOS# (config adn manager) port port_number 

Sets the port number for the primary and backup ADN managers. All SG appliance devices in the 
ADN must use the same manager port number. The default is port 3034; it should not be changed. 

SGOS# (config adn manager) primary-manager IP_address 

Defines fhe primary ADN manager. The responsibility of the ADN manager is to keep up to date the 
routing information from each SG appliance node on the WAN optimization network and to 
broadcast that information to all the peers. 

SGOS# (config adn manager) secure-port port_number 

SGOS# (config adn manager) view 
Views the adn manager configuration. 

SGOS# (config adn) routing 

Configures roufing information. The prompt changes to SGOS# (config adn routing) . 
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#(config) adn 



#(config) adn 



SGOS# (config adn routing) advertise- internet-gateway 

Enters advertise-internet-gateway mode to enable the SG appliance as an Internet gateway. 
Changes the prompt to SGOS# (config adn advertise-internet-gateway). 

SGOS# (config adn routing advertise-internet-gateway) {disable | enable] 
Enables or disables the ability for this peer to be used as an Internet gateway. 

SGOS# (config adn routing advertise-internet-gateway) exempt-subnet {add 
\subnet_prefix[/prefix_length]] clear-all | remove 
\subnet_prefix[/prefix_length]] \ view} 

Manages subnets t that must not be routed to Internet gateway(s). 

SGOS# (config adn routing advertise-internet-gateway) exit 

Leaves the advertise-internet-gateway submode and returns to the routing submode. 

SGOS# (config adn routing advertise-internet-gateway) view 
Displays the advertise-internet-gateway parameters. 

SGOS# (config adn routing) prefer- transparent (enable | disable} 

Forces peers to always use advertised routes or to allows them to use transparent routes if they 
are available. 

SGOS# (config adn routing) exit 

Exits the SGOS# (config adn routing) submode and returns to SGOS# (config adn) mode. 

SGOS# (config adn routing) server-subnets 

Configures server-subnets that will be advertised to other peers on the WAN optimization network. 
The prompt changes to SGOS# (config adn routing server-subnets). 

SGOS# (config adn routing server-subnets) add subnet_prefix[/prefix length] 
Adds a subnet with the specified prefix and, optionally, the prefix length, to the SG appliance 
routes that it sends to the ADN manager. 

SGOS# (config adn routing server-subnets) clear-all 
Deletes all subnets listed on the system. 

SGOS# (config adn routing server-subnets) exit 

Exits the SGOS# (config adn routing server-subnets) submode and returns to 
SGOS# (config adn routing) submode. 

SGOS# (config adn routing server-subnets) view 
Views the current configuration of fhe server subnets. 

SGOS# (config adn routing) view 

Views the current parameters of the routing configuration. 

SGOS# (config adn) security 

Configures authorization parameters. Changes the prompt to SGOS# (config adn security). 

SGOS# (config adn security) authorization {enable | disable) 

Enables connection authorization. 

SGOS# (config adn security) device-auth-profile prof ile_name [no-authorization] 

Select the ADN device-auth profile name. The profile musf already exist. 

SGOS# (config adn security) exit 

Leaves the security submode. Returns to (config adn) mode. 

SGOS# (config adn security) manager- listening-mode (plain-only | 
plain-read-only | secure-only | both) 

Configure manager listening mode. Both refers to plain-only or secure-only. 

SGOS# (config adn security) no device-auth-profile 
Clears the profile name. 

SGOS# (config adn security) secure -outbound (none | routing-only | 
secure-proxies | all) 
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#(config) adn 



#(config) adn 



Configure outbound connection encryption, where none indicates the encryption is disabled, 
routing-only enables encryption on outbound traffic, secure-proxies enables encryption on 
secure proxy (that is, HTTPS or SSL) traffic, and all indicates that encryption is enabled on all 
outbound connections. 

SGOS# (config adn security) tunnel-listening-mode {plain-only | secure-only] 
both) 

Starts the specified tunnel listening mode. 

SGOS# (config adn security) view 
View security configuration 

SGOS# (config adn) tunnel 

Configures parameters for tunnel connections. Tunnel cormections are established between ADN peers 

in order to carry optimized traffic over the WAN. Changes the prompt to SGOS# ( conf ig adn 

tunnel) . 

SGOS# (config adn tunnel) connect- transparent {enable | disable) 

Control outbound ADN transparent tunnel initiation 

SGOS# (config adn tunnel) exit 

Exits the SGOS# (conf ig adn tunnel) submode and returns to SGOS# (config adn) mode. 

SGOS# (config adn tunnel) preserve-dest-port {enable | disable) 

Preserve destination port on outbound connections 

SGOS# (config adn tunnel) port port_number 

Sets the port number for the client or data port used by ADN tunnel connections. Each ADN node 
has a TCP listener on this port in order to receive tunnel connections. The default is port 3035; it 
should not be changed. 

SGOS# (config adn tunnel) proxy-processing http {enable | disable} 

Enables HTTP handoff. This option should be used with care as both byte caching and object 
caching require significant resources. Be sure that your SG devices are sized correctly if you intend 
to use this option. 

SGOS# (config adn tunnel) ref lect-client- ip (allow | deny | use-local-ip) 

Allows the concentrator proxy to follow, deny, or ignore the branch proxy reflect-client-ip settings. 

SGOS# (config adn tunnel) secure-port port_number 
Configure listening port for secure ADN tunnel 

SGOS# (config adn tunnel) tcp-window-size 

Sets the window size used by TCP on all ADN tunnel connections. The default is 65536. 

SGOS# (config adn tunnel) view 

Views the current configuration ADN tunnel parameters. 

SGOS# (config adn) view 

Views the configuration of the WAN optimization parameters you created on this system. 

For More Information 

□ Volume 5: Advanced Networking 



Example 



SGOS# (config 
SGOS# (config 
SGOS# (config 
SGOS# (config 
SGOS# (config 



adn) 

adn) enable 
adn) manager 

adn manager) primary -manager 
adn) backup -manager 10.25.36 



10.25.36.47 

48 
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#(config) adn 



#(config) adn 



SGOS# (config adn) tunnel 

SGOS# (config adn tunnel) tcp-window-size 200000 
SGOS# (config adn tunnel) exit 



SGOS# (config 
SGOS# (config 
SGOS# (config 
SGOS# (config 
SGOS# (config 
SGOS# (config 



adn) routing 

adn routing) server -subnets 

adn routing server-subnets) 
adn routing server-subnets) 
adn routing server-subnets) 
adn routing) exit 



clear-all 

add 10.9.59.0/24 

exit 



SGOS# (config 
SGOS# (config 
SGOS# (config 



adn) byte -cache 

adn byte -cache) max -peer -memory 40 

adn byte -cache) exit 
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#(config) adn 



#(config) adn 



SGOS# (config adn) view 

Application Delivery Network Configuration 
ADN : enabled 



External VIP: 


none 


Manager Configuration: 
Primary manager : 


self 


Backup manager : 


none 


Port : 


3034 


Secure port : 

Approved device 
Allow pending devices: 
Pending device 


3036 

Connecting from 
enabled 

Connecting from 


Byte-cache Configuration: 
Max number of peers : 


10347 


Max peer memory: 


30 


Tunnel Configuration: 
Port : 

Secure port : 
proxy-processing http: 
accept -transparent : 
connect -transparent : 
preserve-dest-port : 


3035 

3037 

disabled 

enabled 

enabled 

enabled 


TCP window size: 
ref lect- client -ip : 


65536 

use-local-ip 


Routing Configuration: 
Internet Cateway: 
Exempt Server subnet : 
Exempt Server subnet : 
Exempt Server subnet : 


disabled 
10.0.0. 0/8 
172 .16.0. 0/12 
192 . 168 . 0 . 0/16 


Security Configuration: 
Device-auth-prof ile : 
Manager-listening mode: 
Tunnel-listening mode: 
Authorization : 


bluecoat 

plain-only 

plain-only 

enabled 


Secure -outbound : 


none 
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#(config) alert 



#(config) alert 



#(config) alert 

Synopsis 

Configures the notification properties of hardware environmental metrics (called sensors) and the 
threshold and notification properties of system resource health monitoring metrics. These health 
monitoring metrics enable Director (and other third-party network management tools) to provide a 
remote view of the health of the SG system. 



Note: Sensor thresholds are not configurable. 



Syntax 

#(config) alert threshold metric_name warning_threshold warning_interval 
critical_threshold critical_interval 

#(config) alert notification metric_name notification_method 



Subcommands 

#(config) alert threshold | notification cpu-utilization 

Sets alert threshold and notification properties for CPU utilization metrics. 

#(config) alert threshold | notification license-utilization license_type 
Sets alert threshold and notification properties for licenses with user limits. 

#(config) alert threshold | notification license-expiration llcense_type 
Sets alert threshold and notification properties for license expiration. 

#(config) alert threshold | notification memory-pressure 

Sets alert threshold and notification properties for memory pressure metrics. 

#(config) alert threshold | notification network-utilization adapter : interface 
Sets alert threshold and notification properties for interface utilization metrics. 

#(config) alert notification sensor sensor-type 

Sets alert notification properties for hardware environmentals. See "Sensors" on page 103 for a 
description of the sensor types. 

#(config) alert notification disk-status disk_number 
Sets alert notification properties for disk status messages. 



Sensors 

The following table describes the sensor metrics. The hardware and environmental metrics are 
referred to as sensors. Sensor threshold values are not configurable and are preset to optimal values. 
For example, if the CPU temperature reaches 55 degrees Celsius, it is considered to have entered the 
Warning threshold. 
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#(config) alert 



#(config) alert 



Table 3-1 . Sensor Health Monitoring Metrics 



Metric 


MIB 


Threshold States 


Disk status 


Disk 


Critical: 

Bad 

Warning: 

Not Present 
Removed 
Offline 
OK: 

Present 

Initializing 

Inserted 

Slot_empty 


Temperature 

Bus temperature 
CPU temperature 


Sensor 


High- critical 
High- warning 


Fan 

CPU Fan 


Sensor 


Critical: 

Low-critical 

Warning: 

Low-warning 


Voltage 

Bus Voltage 

CPU voltage 

Power Supply voltage 


Sensor 


Critical: 

critical 

high- critical 

low-critical 

Warning: 

high -warning 

low-warning 



Thresholds 

The following table describes the health monitoring metrics and default thresholds. Sensor thresholds 
carmot be set. 



Table 3-2. System Resource Health Monitoring Metrics 



Metric 


Units 


Threshold and 
Interval Defaults 


Notes 


CPU Utilization 


Percentage 


Critical: 95/120 
Warning: 80/120 


Measures the value of CPU 0 on 
multi-processor systems— not the average 
of all CPU activity. 


Memory Pressure 


Percentage 


Critical: 95/120 
Warning: 90/120 


Memory pressure occurs when memory 
resources become limited, causing new 
connections to be delayed. 
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#(config) alert 



#(config) alert 



Table 3-2. System Resource Health Monitoring Metrics (Continued) 



Metric 


Units 


Threshoid and 
Intervai Defauits 


Notes 


Network Utilization 


Percentage 


Critical: 90/120 
Warning: 60/120 


Measures the traffic (in and out) on the 
interface to determine if it is approaching 
the maximum allowable bandwidth. 


License Utilization 


Percentage 


Critical: 100/0 
Warning: 90/0 


For licenses that have user limits, monitors 
the number of users. 


License Expiration 


Days 


Critical: 0/0 
Warning: 30/0 


Warns of impending license expiration. 

For license expiration metrics, intervals are 
ignored. Refer to Volume 10: Managing 
the Blue Coat SG Appliance for more 
information. 



For the purposes of notification, thresholds are defined by two variables, the threshold level and the 
threshold interval: 

□ The threshold level describes the state of the metric: OK, Warning, or Critical. 



Note: Sensors have different threshold levels than OK, Warning, and Critical. See "Sensors" on page 

103 for more information. 



□ The threshold interval specifies the period of time that the metric must stay in the level before 
an alert is triggered. 

Consider the following command: 

#(config) alert threshold cpu-utilization 80 20 90 20 
The preceding command sets the cpu-utilization threshold values as follows: 

□ Warning Threshold=80 (percent) 

□ Warning Interval=20 (seconds) 

□ Critical Threshold=90 (percent) 

□ Critical Interval=20 (seconds) 

In this example, if CPU activity hovers between 80% and 89% for 20 seconds, the cpu-utilization metric 
is considered to be in the Warning condition. 

Notification occurs when a threshold state changes, for example, from OK to Warning. See 
"Notification Methods" on page 105 for more information. 

Notification Methods 

The following notification methods can be set. To set more than one t 5 rpe of notification, separate the 
notification method by spaces. For example: 

sgos# alert notification license-utilization quicktime email log trap 
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#(config) alert 



#(config) alert 



Table 3-3. Alert Notification Methods 



Method 


Description 


email 


Notify using e-mail only 


log 


Notify using Event log only 


trap 


Notify using SNMP trap only 


none 


Disable notification 



Licenses 

The license utilization and expiration alert settings can be modified for fhe following licenses. 



Table 3-4. Health Monitoring License Options 



Method. 


Description 


aol-im 


Alert properties for AOL Instant Messaging 


msn- im 


Alert properties for MSN Instant Messaging 


quicktime 


Alert properties for QuickTime Streaming 


real-media 


Alert properties for Real Media Streaming 


windows -media 


Alert properties for Windows Media Streaming 


yahoo- im 


Alert properties for Yahoo Instant Messaging 


sgos 


Alert properties for SGOS (expiration only) 


ssl 


Alert properties for SSL Proxy (expiration only) 



The threshold values for license expiration metrics are set in days until expiration. In this context, a 
"critical" threshold indicates that license expiration is imminent. This is the only metric in which the 
Critical threshold value should be smaller than the Warning threshold value. For example, if you set 
the Warning threshold to 45, an alert is sent when there are 45 days remaining in the license period. 
The Critical threshold would be less than 45 days, for example 5 days. 

For the license expiration metrics, the threshold interval is irrelevant and is set by default to 0. You 
should set the Warning Threshold to a value that gives you ample time to renew your license. By 
default, all license expiration metrics have a Warning Threshold of 30 days. By default, the Critical 
Threshold is configured to 0, which means that a trap is immediately sent upon license expiration. 

For More Information 

□ Volume 10: Managing the Blue Coat SG Appliance 



Examples 



# (conf ig) 
# (conf ig) 
# (conf ig) 
# (conf ig) 
# (conf ig) 



alert threshold cpu-utilization 80 20 90 20 
alert threshold license-utilization quicktime 80 20 90 20 
alert threshold license-expiration quicktime 30 0 5 0 
alert notification cpu-utilization trap 

alert notification license-utilization quicktime email log trap 
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#(config) alert 



#(config) alert 



#(config) alert notification sensor fan email 
#(config) alert notification sensor voltage trap 
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#(config) archive-configuration 



#(config) archive-configuration 



#(config) archive-configuration 

Synopsis 

Archiving a SG system configuration on a regular basis is always a good idea. In the rare case of a 
complefe sysfem failure, resforing an SG appliance fo ifs previous sfafe is simplified by loading an 
archived sysfem configurafion from an FTP, HTTP, or HTTPS server. The archive confains all sysfem 
seffings differing from sysfem defaulfs, along wifh any forwarding and securify lisfs insfalled on fhe 
SG appliance. 

Archive and restore operafions musf be done from fhe CLI. There is no Managemenf Console Web 
inferface for archive and resfore. 

Syntax 

#(config) archive-configuration [subcommands] 



Subcommands 

# (conf ig) archive-configuration encrypted-password encrypted_password 
Encrypted password for upload host (not required for TFTP) 

#(config) archive-configuration filename-prefix filename 

Specifies the prefix that should be applied to the archive configuration on upload. 

#(config) archive-configuration host hostname 

Specifies the FTP host to which the archive configuration should be uploaded. 

#(config) archive-configuration password password 

Specifies the password for the FTP host to which the archive configuration should be uploaded 

#(config) archive-configuration path path 

Specifies the path to the FTP host to which the archive configuration should be uploaded. 

#(config) archive-configuration protocol (ftp | tftp} 

Indicates the upload protocol to be used for the archive configuration using FTP or TFTP. 

#(config) archive-configuration username username 

Specifies the username for the FTP or FTP host to which the archive configuration should be uploaded. 



For More Information 

□ Volume 1: Getting started 

Example 

SGOS# (config) archive-configuration host host! 

ok 
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#(config) attack-detection 



#(config) attack-detection 



#(config) attack-detection 

Synopsis 

The SG appliance can reduce the effects of disfribufed denial of service (DDoS) affacks and porf 
scanning, two of fhe mosf common virus infections. 

The SG appliance prevenfs affacks by limifing fhe number of TCP connecfions from each clienf IP 
address and eifher will nof respond fo cormecfion affempfs from a clienf already af fhis limif or will 
resef fhe cormecfion. 



Syntax 

#(config) attack-detection 
This changes fhe prompf fo: 

#(config attack-detection) 



Subcommands 

#(config attack-detection) client 

Changes the prompt to # (config client) on page 111. 

#(config attack-detection) exit 

Leaves # (config attack-detection) mode and returns to # (config) mode. 

# (config attack-detection) server 

Changes the prompt to # (config server) on page 114. 

# (config attack-detection) view client [blocked | connections | statistics] 

Displays client information. The blocked option displays the clients blocked at the network level, the 
connections option displays the client connection table, and the statistics option displays client 
request failure statistics. 

# (config attack-detection) view configuration 

Allows you to view attack-detection configuration settings or the number of current connections. 

# (config attack-detection) view server [statistics] 

Displays server information. The statistics option displays server-connection failure statistics 

For More Information 

□ Volume 5: Advanced Networking 



Example 



# (config attack-detection) 
Client limits enabled; 
Client interval: 

Default client limits; 
Client connection limit: 
Client failure limit: 
Client warning limit: 
Blocked client action: 
Client connection unblock 



view configuration 

false 

20 minutes 

100 

50 

10 

Drop 

time: unlimited 
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#(config) attack-detection 



#(config) attack-detection 



client limits for 10.9.59.210: 

Client connection limit: 100 

Client failure limit: 50 

Client warning limit: 10 

Blocked client action: Drop 

Client connection unblock time: unlimited 
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#(config) attack-detection 



#(config client) 



#(config client) 

Synopsis 

Configures a client for attack detection. 

Syntax 

#(config attack-detection) client 
This changes the prompt to 
#(config client) 

Subcommands 

#(config client) block ip_address [minutes] 

Blocks a specific IP address for the number of minutes listed. If the optional minutes argument is 
omitted, the client is blocked until explicitly unblocked. 

#(config client) create ip_address or ip_address_and_length 
Creates a client with the specified IP address or subnet. 

#(config client) default {block-action (drop | send-tcp-rst} | connection- limit 

number_of_tcp_connections \ failure-limit number_of_requests \ unblock-time 
minutes \ warning- limit numher_of_warnings] 

Defaul t indicates the values that are used if a client does not have specific limits set. These 
settings can over overridden on a per-client basis. 

If they are modified on a per-client basis, the specified limits become the default for new 
clients. To change the limits on a per-client basis, see edi t, below. 

System defaults for attack-detection limits are: 

• block-action: drop 

• connection-limit: 100 

• failure-limit: 50 

• unblock-time: unlimited 

• warning-limit: 10 

#(config client) delete ip_address or ip_address_and_length 
Deletes the specified client. 

#(config client) disable-limits 
Disables attack detection. 

#(config client) edit ip_address 

Changes the prompt to #(config client ip_address) . 

#(config client IP_address) block-action (drop | send-tcp-rst} 

Indicates the behavior when the client is at the maximum number of connections or exceed the 
warning limit: drop connections that are over the limit or send TCP RST for connections over the 
limit. The default is drop. 

#(config client IP_address) connection-limit number_of_tcp_connections 
Indicates the number of simultaneous connections between 1 and 65535. The default is 100. 

#(config client IP_address) exit 

Exits the #(config client ip_address) submode and returns to #(config client) 
mode. 



Chapter 3: Privileged Mode Configure Commands 



111 



#(config) attack-detection 



#(config client) 



#(config client IP_address) failure-limit numher_of_requests 

Indicates the maximum number of failed requests a client is allowed before the proxy starts issuing 
warnings. Default is 50. This limit can be modified on a per-client basis. 

#(config client IP_address) no {connection-limit | failure- limit | 
warning- limit | unblock- time } 

Clears the specified limits on a per-client basis. 

If you edit an existing client's limits to a smaller value, the new value only applies to new 
cormections to that client. For example, if the old value was 10 simultaneous connections 
and the new value is 5, existing cormections above 5 are not dropped. 

#(config client IP_address) unblock-time minutes 

Indicates the amount of time a client is blocked at the network level when the client-warnmg-limit is 
exceeded. Time must be a multiple of 10 minutes, up to a maximum of 1440. The default is 
unlimited. 

#(config client IP_address) view 
Displays the limits for this client. 

#(config client IP_address) warning-limit numher_of_warnings] 

Indicates the number of warnings sent to the client before the client is blocked at the network level 
and the administrator is notified. The default is 10; the maximum is 100. 

#(config client IP_address) enable- limits 

Enables attack detection. This is a global setting and cannot be configured individually for specific 
clients. 

# (config client IP_address) interval minutes 

Indicates the amount of time, in multiples of 10 minutes, that client activity is monitored. The 
default is 20. Note that this is a global limit and cannot be modified for individual clients. 

# (config client IP_address) no default (connection-limit | failure- limit | 
warning-limit | unblock- time } 

Clears the specified limit settings. These settings are applied to all new clients. 

# (config client IP_address) view [blocked | connections | statistics] 

Views all limits for all clients, or you can show clients blocked at the network level, view the client 
connection table, or view client request failure statistics. 

# (config client IP_address) unblock ip_address 
Releases a specific IP address. 

For More Information 

□ Volume 5: Advanced Networking 



Example 

SGOS# (config) attack-detection 

SGOS# (config attack-detection) client 

SGOS# (config client) view 

Client limits enabled: true 

Client interval: 20 minutes 



Default client limits: 

Client connection limit: 700 

Client failure limit: 50 

Client warning limit: 10 

Blocked client action: Drop 

Client connection unblock time: unlimited 
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#(config) attack-detection 



#(config client) 



client 

Client 


limits for 10.9.17.159: 
connection limit: 


unlimited 


Client 


failure limit: 


unlimited 


Client 


warning limit: 


unlimited 


Blocked client action: 


Drop 


Client 


connection unblock time: 


unlimited 


Client 

Client 


limits for 10.9.17.134: 
connection limit: 


700 


Client 


failure limit: 


50 


Client 


warning limit: 


10 


Blocked client action: 


Drop 


Client 


connection unblock time: 


unlimited 
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#(config) attack-detection 



#(config server) 



#(config server) 

Synopsis 

Configures a server for affack defecfion. 

Syntax 

#(config attack-detection) server 

This changes fhe prompf fo: 

#(config server) 

Subcommands 

#(config server) create hostname 

Creates a server or server group that is identified by the hostname. 

#(config server) delete hostname 
Deletes a server or server group. 

#(config server) edit hostname 

Changes the prompt to # (conf ig server hostname) 

#(config server hostname) add hostname 
Adds an additional server to this server group. 

# (config server hostname) exit 

Exits the # (conf ig server hostname) submode and returns to # (conf ig server) mode. 

# (config server hostname) request-limit number_of_requests 

Indicates the number of simultaneous requests allowed from this server or server group. The default 
is 1000. 

# (config server hostname) view 

Displays the request limit for this server or server group. 

# (config server) exit 

Exits the # (conf ig server) submode and returns to # (conf ig attack-detection) mode. 

# (config server) view [statistics] 

Displays the request limit for all servers or server groups. 

For More Information 

□ Volume 5: Advanced Networking 

Example 

SGOS# (config) attack-detection 

SGOS# (config attack-detection) server 
SGOS# (config server) create testl 
ok 

SGOS# (config server) edit testl 

SGOS# (config server testl) add 10.9.17.134 

ok 

SGOS# (config server testl) view 
Server configuration for testl : 

Request limit: 1000 

Host: 10.9.17.134 
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#(config) attack-detection 



#(config server) 
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#(config) bandwidth-gain 



#(config) bandwidth-gain 



#(config) bandwidth-gain 

Synopsis 

Bandwidth gain is a measure of the effective increase of server bandwidth resulting from the client's 
use of a content accelerator. For example, a bandwidth gain of 100% means that traffic volume from 
the SG appliance to its clients is twice as great as the traffic volume being delivered to the SG appliance 
from the origin server(s). Using bandwidth gain mode can provide substantial gains in apparent 
performance. 

Keep in mind that bandwidth gain is a relative measure of the SG appliance's ability to amplify traffic 
volume between an origin server and the clients served by the device. 

Syntax 

#(config) bandwidth-gain disable 

Disables bandwidth-gain mode 

#(config) bandwidth-gain enable 
Enables bandwidth-gain mode. 



For More Information 

□ Volume 5: Advanced Networking 

Example 

SGOS# (config) bandwidth-gain enable 

ok 
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#(config) bandwidth-management 



#(config) bandwidth-management 



#(config) bandwidth-management 

Synopsis 

Bandwidth management allows you to classify, control, and, if required, limif fhe amounf of 
bandwidfh used by a class of network fraffic flowing info or ouf of fhe SG appliance. 

Syntax 

#(config) bandwidth-management 

This changes fhe prompf fo: 

#(config bandwidth-management) 



Subcommands 

#(config bandwidth-management) create class_name 
Creates a bandwidth-management class. 

#(config bandwidth-management) delete class_name 

Deletes the specified bandwidth-management class. Note that if another class has a reference to the 
specified class, this command fails. 

#(config bandwidth-management) disable 
Disables bandwidth-management. 

# (conf ig bandwidth-management) edit class_name — changes the prompt (see # (config 
bandwidth-management class_name) on page 118 ) 

# (config bandwidth-management) enable 
Enables bandwidth-management. 

# (config bandwidth-management) exit 

Exits # (conf ig bandwidth-management) mode and returns to # (conf ig) mode. 

# (config bandwidth-management) view configuration [bandwidth_class] 

Displays bandwidth-management configuration for all bandwidth-management classes or for the class 
specified. 

# (config bandwidth-management) view statistics [bandwidth_class] 

Displays bandwidth-management statistics for all bandwidth-management classes or for the class 
specified. 

For More Information 

□ Volume 5: Advanced Networking 



Example 



SGOS# (config) bandwidth-management 

SGOS# (config bandwidth-management) enable 
ok 

SGOS# (config bandwidth-management) create Office_A 
ok 



SGOS# 

SGOS# 

SGOS# 

SGOS# 



(config bandwidth-management) edit Office_A 
(config bw-class Office_A) exit 
(config bandwidth-management) exit 
(config) 
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#(config) bandwidth-management 



#(config bandwidth-management class_name) 



#(config bandwidth-management class_name) 

Synopsis 

This command allows you to edit a bandwidth-management class. 

Syntax 

#(config) bandwidth-management 
This changes the prompt to: 

#(config bandwidth-management) 

#(config bandwidth-management) edit class_name 
This changes the prompt to: 

#(config bandwidth-management class_name) 



Subcommands 

#(config bandwidth-management class_name) exit 

Exits # (config bandwidth-management class_name) mode and returns to # (config 
bandwidth-management) mode. 

# (config bandwidth-management class_name) max-bandwidth maximum_in_kbps 
Sets the maximum bandwidth for this class. 

# (config bandwidth-management class_name) min-bandwidth minimum_in_)cbps 
Sets the minimum bandwidth for this class 

# (config bandwidth-management class_name) no max-bandwidth 

Resets the maximum bandwidth of this bandwidth-management class to the default (unlimited — no 
maximum) 

# (config bandwidth-management class_name) no min-bandwidth 

Resets the minimum bandwidth of this bandwidth-management class to the default (no minimum). 

# (config bandwidth-management class_name) no parent 
Clears the parent from this bandwidth-management class. 

# (config bandwidth-management class_name) parent class_name 
Makes the specified class a parent of the class being configured. 

# (config bandwidth-management class_name) priority value_from_0_to_ 7 

Sets the priority for this bandwidth-management class. The lowest priority level is 0 and the highest is 7. 

# (config bandwidth-management class_name) view [children] 

Displays the settings for this bandwidth-management class or displays the settings for the children of 
this bandwidth-management class. 

For More Information 

□ Volume 5: Advanced Networking 
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#(config) bandwidth-management 



#(config bandwidth-management class_name) 



Example 

SGOS# (config) bandwidth-management 

SGOS# (config bandwidth-management) edit CEO_A 
SGOS# (config bw-class CEO_A) parent Office_A 
ok 

SGOS# (config bw-class CEO_A) priority 2 
ok 

SGOS# (config bw-class CEO_A) exit 
SGOS# (config bandwidth-management) exit 
SGOS# (config) 
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#(config) banner 



#(config) banner 



#(config) banner 



Synopsis 

This command enables you to define a login banner for your users. 

Syntax 

#(config) banner login string 

Sets the login banner to the value of string. 

#(config) banner no login 
Sets the login banner to null. 



For More Information 

□ Volume 2: Proxies and Proxy Services 

Example 

#(config) banner login "Sales and Marketing Intranet Web" 

ok 
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#(config) bridge 



#(config) bridge 



#(config) bridge 

Synopsis 

Allows you to configure bridging. 

Syntax 

#(config) bridge 
This changes the prompt to: 

#(config bridge) 

Subcommands 

#(config bridge) bandwidth-class bridgename 
Sets bridge bandwidth class. 

#(config bridge) create bridgename 

Creates a bridge. This bridge name is case insensitive. You cannot name one bridge "ABC" and 
another bridge "abc". 

#(config bridge) delete bridgename 
Deletes the bridge. 

#(config bridge) edit bridgename 

Changes the prompt to # (conf ig bridge bridgename) 

#(config bridge bridgename) exit 

Exits the # (conf ig bridge hostname) submode and returns to # (conf ig bridge) mode. 

#(config bridge) no bandwidth-class 
Clears the bandwidth-class settings. 

#(config bridge) view {configuration | statistics | fwtable} bridgename 
Displays information for the specified bridge or fall all bridges. 



Note: To bandwidth-manage a bridge, bandwidth management must be enabled. Bandwidth 

management is enabled by default if you have a valid bandwidfh-managemenf license. You musf 
also creafe a bandwidfh class for bridging (in bandwidfh-managemenf mode) before you can 
selecf if here. See # (conf ig bandwidth-management class_name) on page 118 for more 
informafion. 



For More Information 

□ Volume 1: Getting started 

Example 

SGOS# (conf ig) bridge 
SGOS# (config bridge) create test 
ok 

SGOS# (config bridge) exit 
SGOS# (config) 
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#(config) bridge 



#(config bridge bridge_name) 



#(config bridge bridge_name) 

Synopsis 

This command allows you to edit a bridge. 

Syntax 

#(config) bridge 
This changes the prompt to: 

#(config bridge) 

#(config bridge) edit bridge_name 
This changes the prompt to: 

#(config bridge bridge_name) 

Subcommands 

#(config bridge bridgename) attach-interface adapter#: interface# 

Attaches the interface to the bridge. 

#(config bridge bridgename) clear- fwtable {static} 

Clears bridge forwarding table. 

#(config bridge bridgename) dear-statistics 
Clears the bridge statistics. 

#(config bridge bridgename) exit 

Exits #(config bridge bridge_name) mode and returns to # ( conf ig bridge ) mode. 

#(config bridge bridgename) failover (group | mode) (parallel | serial) 

Associates the bridge to a failover group or sets the bridge failover mode. 

#(config bridge bridgename) mode ? 

Sets the mode for network adapters that can be used as either a pass-through adapter or as a Network 
Interface Card. 

#(config bridge bridgename) no (interface | failover | static-fwtable-entry) 
Clears the settings as follows: 
interface: Removes the interface from the bridge, 
failover: Negates failover settings. 

static-fwtable-entry: Clears the static forwarding table entry. 

#(config bridge bridgename) spanning-tree adapter#: interface# (enable | disable) 
Enables or disables spanning tree participation. 

#(config bridge bridgename) static-fwtable-entry adapter# : interface# mac-address 
Adds a static forwarding table entry. 

#(config bridge bridgename) view (configuration | statistics | fwtable) 

Displays information for the specified bridge. 

For More Information 

□ Volume 1: Getting started 
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#(config) bridge 



#(config bridge bridge_name) 



Example 

SGOS# (conf ig) bridge 

SGOS# (config bridge) edit b_l 

SGOS# (conf ig bridge b_l) attach interface 0:1 
ok 

SGOS# (config bridge b_l) failover mode parallel 
ok 

SGOS# (config bridge b_l) exit 
SGOS# (config bridge) exit 
SGOS# (config) 
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#(config) caching 



#(config) caching 



#(config) caching 

Synopsis 

Objects can be stored and managed for later retrieval. 

Discussion 

When a stored HTTP object expires, it is placed in a refresh lisf. The SG appliance processes fhe refresh 
lisf in fhe background, when if is nof serving requests. Refresh policies define how fhe device handles 
the refresh process. 

The HTTP caching options allow you fo specify: 

□ Maximum objecf size 

□ Negafive responses 

□ Refresh paramefers 

In addition to HTTP objects, the SG appliance can store objects requested using FTP. When the device 
retrieves and stores an FTP object, it uses two methods to determine how long the object should stay 
cached. 

□ If fhe objecf has a lasf-modified date, the SG appliance assigns a refresh dafe fo fhe objecf fhat 
is a percenfage of fhe lasf-modified dafe. 

□ If fhe objecf does nof have a lasf-modified dafe, fhe SG appliance assigns a refresh dafe fo fhe 
objecf based on a fixed period of fime. 

Syntax 

#(config) caching 
This changes fhe prompf fo: 

#(config caching) 



Subcommands 

#(config caching) always-verify-source 

Specifies the SG appliance to always verify the freshness of an object with the object source. 

#(config caching) exit 

Exits the #(config caching) mode and returns to # (config) mode. 

#(config caching) ftp — changes the prompt to # (config caching ftp) on page 126 

# (config caching) max-cache-size megabytes 

Specifies the maximum size of the cache to the value indicated by megabytes. 

# (config caching) negative-response minutes 

Specifies that negative responses should be cached for the time period identified by minutes 

# (config caching) no always-verify-source 

Specifies that the SG appliance should never verify the freshness of an object with the object source 

# (config caching) refresh automatic 

Specifies that the SG appliance should manage the refresh bandwidth. 

# (config caching) refresh bandwidth kbps 

Specifies the amount of bandwidth in kilobits to utilize for maintaining object freshness. 

# (config caching) refresh no automatic 

Specifies that the SG appliance should not manage the refresh bandwidth. 
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#(config) caching 



#(config) caching 



#(config caching) view 
Displays caching parameters. 



For More Information 

□ Volume 2: Proxies and Proxy Services 

Example 

SGOS# (config) caching 

SGOS# (config caching) always-verify-source 
ok 

SGOS# (config caching) max-cache-size 100 
ok 

SGOS# (config caching) negative-response 15 
ok 

SGOS# (config caching) refresh automatic 
ok 

SGOS# (config caching) exit 

SGOS# (config) 
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#(config) caching 



#(config caching ftp) 



#(config caching ftp) 

Synopsis 

The FTP caching options allow you to specify: 

□ Transparency 

□ Maximum object size 

□ Caching objects by date 

□ Caching objects without a last-modified dafe: if an FTP objecf is served wifhouf a lasf 
modified date, the SG appliance caches the object for a sef period of time. 

Syntax 

#(config) caching 
This changes fhe prompf fo: 

#(config caching) 

#(config caching) ftp 
This changes fhe prompf fo: 

#(config caching ftp) 



Subcommands 

#(config caching ftp) disable | enable} 

Disables or enables caching FTP objects 

#(config caching ftp) exit 

Exits # (config caching ftp) mode and returns to # (config caching) mode. 

#(config caching ftp) type-m-percent percent 
Specifies the TTL for objects with a last-modified time. 

# (config caching ftp) type-n- initial hours 
Specifies the TTL for objects with no expiration. 

# (config caching ftp) view 

Shows the current FTP caching settings. 

For More Information 

□ Volume 2: Proxies and Proxy Services 
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#(config) caching 



#(config caching ftp) 



Example 



SGOS# (conf ig 

SGOS# (conf ig 
ok 

SGOS# (conf ig 
ok 

SGOS# (conf ig 
ok 

SGOS# (config 
ok 

SGOS# (config 

SGOS# (config 



caching) ftp 
caching ftp) enable 

caching ftp) itiax-cache-size 

caching ftp) type-m-percent 

caching ftp) type-n- initial 

caching ftp) exit 
caching) exit 



200 

20 

10 
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#(config)cifs 



#(config) cifs 



#(config) cifs 
Synopsis 
Syntax 

SGOS# (conf ig) cifs 
This changes the prompt to: 
SGOS#(config cifs) 



Subcommands 

SGOS# (conf ig cifs) directory-cache- time seconds 

This option determines how long directory information is kept in cache. Changes made to a directory by 
clients not using the SG appliance are not visible to SG clients if they occur within this time interval. The 
default cache time is 30 seconds. 

SGOS#(config cifs) exit 

Returns to the (config submode. 

SGOS#(config cifs) read-ahead {disable | enable) 

This option is enabled by default and improves performance by attempting to fetch and cache blocks of 
data that might be requested by a client before the actual request occurs. Disabling this option causes the 
SG appliance to fetch and cache only data actually requested by clients. 

SGOS# (config cifs) strict-directory-expiration {disable | enable) 

This option is disabled by default. When this option is enabled and directory-cache-time has a 
value of 0, directories are refreshed synchronously instead of in the background. This is needed when the 
set of visible objects in a directory returned by a server can vary between users. 

SGOS# (config cifs) view {conf iguration | statistics) 

Views the configuration or statistics of CIFS. 

SGOS# (config cifs) write-back (full | none) 

This option is set to full by default, which improves performance by acknowledging client writes 
immediately and sending them to the server in the background. Setting this option to none forces all 
writes to be sent to the server synchronously. 

For More Information 

□ Volume 2: Proxies and Proxy Services 

Example 



Volume 11: Command Line Interface Reference 



128 



#(config)clock 



#(config) clock 



#(config) clock 

Synopsis 

To manage objects in the cache, an SG appliance must know the current Universal Time Coordinates 
(UTC) time. By default, the device attempts to cormect to a Network Time Protocol (NTP) server to 
acquire the UTC time. The SG appliance includes a list of NTP servers available on the Internet, and 
attempts to cormect to them in the order they appear in the NTP server list on the NTP tab. If fhe SG 
appliance carmof access any of fhe lisfed NTP servers, you musf manually sef fhe UTC time using the 
clock command. 

Syntax 

#(config) clock [subcommands] 



Subcommands 

#(config) clock day day 

Sets the Universal Time Code (UTC) day to the day indicated by day. The value can be any integer from 
1 through 31. 

#(config) clock hour hour 

Sets the UTC hour to the hour indicated by hour. The value can be any integer from 0 through 23. 
#(config) clock minute minute 

Sets the UTC minute to the minute indicated by minute. The value can be any integer from 0 through 
59. 

#(config) clock month month 

Sets the UTC month to the month indicated by month. The value can be any integer from 1 through 12. 
#(config) clock second second 

Sets the UTC second to the second indicated by second. The value can be any integer from 0 through 59. 
#(config) clock year year 

Sets the UTC year to the year indicated by year. The value must take the form xxxx. 

For More Information 

□ Volume 1: Getting started 



Example 

SGOS# (config) 
ok 

SGOS# (config) 
ok 

SGOS# (config) 
ok 

SGOS# (config) 
ok 

SGOS# (config) 
ok 

SGOS# (config) 
ok 



clock 


year 2003 


clock 


month 4 




clock 


day 1 




clock 


hour 0 




clock 


minute 


30 


clock 


second 


59 
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#(config) console-services 



#(config) console-services 



#(config) console-services 



Synopsis 

The SG appliance provides console services to communicate: 

□ HTTP (Not enabled by default) 

□ HTTPS 

□ SSH 

□ Telnet (Not created by default; a Telnet proxy service is created by default on port 23.) 

Syntax 

#(config) console-services 
This changes the prompt to: 

#(config console-services) 



Subcommands 



The options below allow you to manage the console service. 

#(config console-services) create {http- console | https-console 
telnet -console} consolename 

Creates a console service with the service name you choose. 

#(config console-services) delete consolename 
Deletes the specified service name. 



#(config console-services) edit consolename 

Changes the prompt, depending on the console service you choose: 

#(config http-console) on page 131 

#(config https-console) on page 132 

#(config ssh-console) on page 134 

#(config telnet-console) on page 135 

#(config console-services) exit 

Leaves console-services submode; returns to the config prompt. 



#(config console-services) view 
Views all console services. 



ssh-console | 



Note: If you creafe a console name wifh spaces, fhe name musf be enclosed in quofes; for example, 

"My Consolel". 
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#(config) console-services 



#(config http-console) 



#(config http-console) 

Synopsis 

This console service intercepts HTTP traffic, usually on porf 80. This console service is creafed buf nof 
enabled due fo securify concerns. 

Syntax 

#(config console-services) edit http_console 
This changes fhe prompf fo: 

#(config http_console) 



Subcommands 

#(config http_console) add {all | proxy_ip_address} port (enable | disable} 

Add a listener to the console service. All selects all IP addresses on the proxy; alternatively, you can select 
a specific proxy's IP address. You must always choose a port. By default the listener is enabled. 

#(config http_console) disable (all | proxy_ip_address} port 
Disables the specified listener. 

#(config http_console) enable (all | proxy_ip_address} port 
Enables the specified listener. 

#(config http_console) exit 

Exits to the (config console-services) prompt. 

#(config http_console) view 

Views a summary of the console service's configuration. 

For More Information 

□ " console-services" on page 130 

□ Volume 2: Proxies and Proxy Services 

Example 

SGOS# (config) console-services 

SGOS# (config console- services ) create http-console http_console 

SGOS# (config console- services ) edit http_console 

SGOS# (config http_console) add 10.25.36.47 80 

SGOS# (config http_console) enable 10.25.36.47 80 
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#(config) console-services 



#(config https-console) 



#(config https-console) 

Synopsis 

The HTTPS console intercepts traffic on porfs 8082. You can creafe additional HTTPS consoles if 
necessary. 

Syntax 

#(config console-services) edit httpsconsole 

This changes fhe prompf fo: 

#(config https_console) 



Subcommands 

#(config https_console) add {all | proxy_ip_address] port (enable | disable} 

Add a listener to the console service. All selects all IP addresses on the proxy; alternatively, you can select 
a specific proxy's IP address. You must always choose a port. By default the listener is enabled. 

#(config https_console) attribute cipher-suite cipher-suites 

Associates one more cipher suites with the console service. Cipher suites can be any combination of the 
following: 

rc4 -md5 

rc4 - sha 

des-cbc3 -sha 

des-cbc3 -md5 

rc2-cbc-md5 

rc4 - 64 -md5 

des-cbc-sha 

des-cbc-mdS 

expl024-rc4-md5 

expl024-rc4-sha 

expl024-rc2-cbc-md5 

expl 024 -des-cbc-sha 

exp-rc4-md5 

exp-rc2-cbc-md5 

exp -des-cbc-sha 

aesl28-sha 

aes256-sha 

#(config https_console) attribute keyring keyring_ID 
Specifies the keyring ID you want to use with this console. 

#(config https_console) attribute ssl-versions (sslv2 | sslv3 | tlsvl | sslv2v3 
I sslv2tlsvl I sslv3tlsvl | sslv2v3tlsvl } 

Selects the SSL versions to use . 

#(config https_console) disable (all | proxy_ip_address] port 
Disables the specified listener. 

#(config https_console) enable (all | proxy_ip_address] port 
Enables the specified listener. 

#(config https_console) exit 

Exits to the (config console-services) prompt. 

#(config https_console) view 

Views a summary of the console service's configuration. 
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#(config) console-services 



#(config https-console) 



For More Information 

□ " console-services" on page 130 

□ Volume 2: Proxies and Proxy Services 

Example 

SGOS# (config) console-services 

SGOS# (config console- services ) create https-console https_console 
SGOS# (config console- services ) edit https_console 
SGOS# (config https_console) add 10.25.36.47 80 
SGOS# (config https_console) enable 10.25.36.47 80 

SGOS# (config https_console) attribute cipher-suite rc4-md5 des-cbc-sha 
aesl28-sha 



Note: For a discussion of available cipher suites, refer to Volume 2; Proxies and Proxy Services. 
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#(config) console-services 



#(config ssh-console) 



#(config ssh-console) 



Synopsis 

The SSH console service allows to you to securely connect to the Command Line Interface. By default, 
SSHv2 is enabled and assigned to port 22. You do not need to create a new host key unless you want to 
change the existing configuration. 

Syntax 

#(config console-services) edit ssh_console 
This changes the prompt to: 

#(config ssh_console) 



Subcommands 

#(config ssh_console) add {all | proxy_ip_address) port (enable | disable} 

Add a listener to the console service. All selects all IP addresses on the proxy; alternatively, you can select 
a specific proxy's IP address. You must always choose a port. By default the listener is enabled. 

#(config ssh_console) disable (all | proxy_ip_address} port 
Disables the specified listener. 

#(config ssh_console) enable (all | proxy_ip_address) port 
Enables the specified listener 

#(config ssh_console) exit 

Exits to the (config console-services) prompt. 

#(config ssh_console) view 

Views a summary of the console service's configuration. 

For More Information 

□ " console-services" on page 130 

□ " ssh-console" on page 327 



Example 



SGOS# (config) 
SGOS# (config 
SGOS# (config 
SGOS# (config 
SGOS# (config 



console -services 

console- services ) create ssh-console 
console- services ) edit ssh_console 
ssh_console) add 10.25.36.47 80 
ssh_console) enable 10.25.36.47 80 



ssh console 
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#(config) console-services 



#(config telnet-console) 



#(config telnet-console) 

Synopsis 

This console service provides access to the administrative CLI through Telnet. Due to security 
concerns, use of this console is not recommended. 

A shell Telnet proxy service is created on port 23. If you do decide fo creafe a Telnef console, you musf 
firsf remove fhe Telnef proxy service and apply fhe changes. You can lafer re-add fhe Telnef proxy 
service on a differenf porf. 

Syntax 

#(config console-services) edit telnet_console 
This changes fhe prompf fo: 

#(config telnet_console) 

Subcommands 

#(config telnet_console) add {all | proxy_ip_address} port (enable | disable} 
Add a listener to the console service. All selects all IP addresses on the proxy; alternatively, you can select 
a specific proxy's IP address. You must always choose a port. By default the listener is enabled. 

#(config telnet_console) disable (all | proxy_ip_address} port 
Disables the specified listener. 

#(config telnet_console) enable (all | proxy_ip_address} port 
Enables the specified listener. 

#(config telnet_console) exit 

Exits to the (config console-services) prompt. 

#(config telnet_console) view 

Views a summary of the console service's configuration. 

For More Information 

□ " console-services" on page 130 

□ Volume 2: Proxies and Proxy Services 

Example 

SGOS# (config) console-services 

SGOS# (config console- services ) create telnet-console telnet_console 
SGOS# (config console- services ) edit telnet_console 
SGOS# (config telnet_console) add 10.25.36.47 80 
SGOS# (config telnet_console) enable 10.25.36.47 80 
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#(config) content 



#(config) content 



#(config) content 

Synopsis 

Use this command to manage and manipulate content distribution requests and re-validate requests. 



Note: The content command options are not compatible with transparent FTP. 



Syntax 

#(config) content [subcommands] 



Subcommands 

#(config) content cancel outstanding-requests 

Specifies to cancel all outstanding content distribution requests and re-validate requests. 

#(config) content cancel url url 

Specifies to cancel outstanding content distribution requests and re-validate requests for the URL 
identified by url. 

#(config) content delete regex regex 

Specifies to delete content based on the regular expression identified by regex. 

#(config) content delete url url] 

Specifies to delete content for the URL identified by url. 

#(config) content distribute url [from_url] 

Specifies that the content associated with url should be distributed from the origin server. 

#(config) content priority { regex priori ty_0- 7 regex 

Specifies to add a content deletion policy based on the regular expression identified by regex. 

#(config) content priority url priori ty_0- 7 url 

Specifies to add a content deletion policy for the URL identified by url . 

#(config) content revalidate regex regex 

Revalidates the content associated with the regular expression identified by regex with the origin 
server. 

#(config) content revalidate url url [from_urI] 

Revalidates the content associated with the url. 

For More Information 

□ Blue Coat Director Configuration and Management Guide 



Example 



SGOS# (config) content 
Current time: Mon, 01 
SGOS# (config) content 
Last load time: Mon, 



SGOS# (config) 
Current time: 
SGOS# (config) 
SGOS# (config) 
SGOS# (config) 



content 
Mon , 0 1 
content 
content 
content 



distribute http://virww.bluecoat.coin 

Apr 2003 00:34:07 GMT 

revalidate url http : //v™w. bluecoat . com 
01 Apr 2003 00:34:07 GMT 
distribute http://virww.bluecoat.com 

Apr 2003 00:35:01 GMT 

priority url 7 http://vfVfw.bluecoat.com 
cancel outstanding-requests 
delete url http://vfVfw.bluecoat.com 
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#(config) content-filter 



#(config) content-filter 



#(config) content-filter 

Synopsis 

The SG appliance offers fhe opfion of using confenf filfering fo confrol fhe fype of refrieved confenf 
and fo filter requesfs made by clienfs. The SG appliance supports the following content filtering 
methods: 

□ Local database 

This method allows you to create and maintain your own content-filtering list locally, through 
the SG appliance CLI or Management Console. 

□ Blue Coat Web Filter (BCWF) 

BCWF is a highly effective content-filtering service that can quickly learn and adapt to the 
working set of ifs users. Also, BCWF can use D5mamic Real Time Rating (DRTR) fo analyze 
requesfed Web pages in real time, blocking new, unrafed content on the fly, while providing 
fhe dafabase with instant updates that impact all users without service interruption. 

□ Internet Watch Foundation® (IWF) 

The IWF is a non-profit organization that provides enterprises with a list of known child 
pornography URLs. The IWF database features a single category called IWF-Restricted, which 
is detectable and blockable using policy. IWF can be enabled along with other content-filtering 
services. 

□ Vendor-based content filtering 

This method allows you to block URLs using vendor-defined cafegories. For this method, use 
content-filtering solutions from fhe following vendors: 

• i-FILTER 

• InferSafe^” 

• Opfenef 

• Provenfia^” 

• SmarfFilter’^” 

• SurfConfro^” 

• Websense® (bofh locally on the SG appliance and remotely on a separate Websense 
Enterprise Server) 

• WebWasher® 

You can also combine this t5qje of confenf filfering wifh fhe SG appliance policies, which use 
the Blue Coat Policy Language. 

□ Denying access to URLs through policy 

This method allows you to block by URL, including filtering by scheme, domain, or 
individual host or IP address. Por this method, you define SG appliance policies, which use 
the Blue Coat Policy Language. 
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#(config) content-filter 



#(config) content-filter 



Syntax 

#(config) content- filter 
This changes the prompt to: 

#(config content-filter) 

Subcommands 

#(config content-filter) bluecoat 

Enters configuration mode for Blue Coat Web Filter. See # (conf ig bluecoat) on page 140. 

#(config content-filter) categories 
Shows available categories. 

#(config content-filter) exit 

Exits configure content filter mode and returns to configure mode. 

#(config content-filter) i-filter 

Enters configuration mode for i-FlLTER. See # (conf ig i-filter) on page 142. 

#(config content-filter) intersafe 

Enters configuration mode for InterSafe. See # (conf ig intersafe) on page 144. 

#(config content-filter) iwf 

Enters configuration mode for IWF. See # (conf ig iwf) on page 146. 

#(config content-filter) local — changes the prompt (see # (conf ig local) on page 148) 
Enters configuration mode for Local database. 

#(config content-filter) no review-message 

Specifies that vendor categorization review be turned off. 

#(config content-filter) optenet 

Enters configuration mode for Optenet. See # (conf ig optenet) on page 150. 

#(config content-filter) proventia 

Enters configuration mode for Proventia. See # (conf ig proventia) on page 152. 

#(config content-filter) provider bluecoat {disable | enable | loolcup-mode 
(always | uncategorized}} 

Enables or disables Blue Coat Web Filter database. The loolcup-mode option specifies whether every 
URL should be categorized by the downloaded filter. 

#(config content-filter) provider local (disable | enable | lookup-mode (always | 
uncategorized} } 

Enables or disables a local user database. The lookup -mode option specifies whether every URL should 
be categorized by the downloaded filter. 

#(config content-filter) provider iwf (disable | enable | lookup-mode (always | 
uncategorized} } 

Enables or disables IWF filtering. The lookup-mode option specifies whether every URL should be 
categorized by the downloaded filter. 

#(config content-filter) provider 3rd-party i-filter 
Selects i-FILTER content filtering. 

#(config content-filter) provider 3rd-party intersafe 
Selects InterSafe content filtering. 

#(config content-filter) provider 3rd-party none 

Specifies that a third-party vendor not be used for content filtering. 

#(config content-filter) provider 3rd-party optenet 
Selects Optenet content filtering. 
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#(config) content-filter 



#(config) content-filter 



#(config content-filter) provider 3rd-party proventia 
Selects Proventia Web Filter content filtering. 

#(config content-filter) provider 3rd-party smartfilter 
Selects SmartFilter content filtering. 

#(config content-filter) provider 3rd-party surfcontrol 
Selects SurfControl content filtering. 

#(config content-filter) provider 3rd-party websense 
Selects Websense content filtering. 

#(config content-filter) provider 3rd-party webwasher 
Selects Webwasher URL Filter content filtering. 

#(config content-filter) provider {local | bluecoat | iwf | 3rd-party} 
lookup-mode (always | uncategorized} 

Selects Lookup Mode. Default is Always. 

#(config content-filter) review-message 

Used for categorization review for certain Content Filtering vendors.The review-message setting enables 
two substitutions that can be used in exceptions pages to allow users to review or dispute content 
categorization results. 

#(config content-filter) smartfilter 

Enters configuration mode for SmartFilfer. See # (conf ig smartfilter) on page 154. 

#(config content-filter) surfcontrol 

Enters configuration mode for SurfConfrol. See # (conf ig surfcontrol) on page 156. 

#(config content-filter) test-url uri 

Displays cafegories for a URL assigned by fhe currenf configuration. 

#(config content-filter) websense 

Enters configuration mode for Websense. See # (conf ig websense) on page 158. 

#(config content-filter) webwasher 

Enters configuration mode for WebWasher. See # (conf ig webwasher) on page 160 

#(config content-filter) view 

Shows fhe currenf settings for fhe local dafabase (if it is in use) and the selected provider (if one is 
selecfed). 

For More Information 

□ Volume 7; Managing Content 

□ Volume 10: Content Policy Language Guide 

Example 

SGOS# (config) content- filter 

SGOS# (config content-filter) provider 3rd-party proventia 
loading database .... 
ok 

SGOS# (config content-filter) exit 
SGOS# (config) 
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#(config) content-filter 



#(config bluecoat) 



#(config bluecoat) 



Synopsis 

Use this command to configure Blue Coat Web Filter content filtering. 

Syntax 

#(config) content- filter 
This changes the prompt to: 

#(config content-filter) bluecoat 
This changes the prompt to: 

#(config bluecoat) 



Subcommands 



#(config bluecoat) download all-day 
Checks for database updates all day. 

#(config bluecoat) download auto 
Enables automatic database downloads. 

#(config bluecoat) download between-hours start stop 

Sets the interval for automatic database update checks. 

#(config bluecoat) download encrypted-password encrypted_password 
Specifies the encrypted password for the database download server. 

#(config bluecoat) download get-now 
Initiates an immediate database download. 

#(config bluecoat) download password password 
Specifies the password for the database download server. 

#(config bluecoat) download url {default | url] 

Specifies using either the default URL or a specific URL for the database download server. 

#(config bluecoat) download username username 
Specifies the username for the database download server. 

#(config bluecoat) exit 

Exits configure bluecoat mode and returns to configure content-filter mode. 

#(config bluecoat) no download auto 
Disables automatic download. 

#(config bluecoat) no download day-of-week (friday | monday | Saturday | Sunday | 
thursday | tuesday | Wednesday} 

Clears day(s) of the week for automatic download. 

#(config bluecoat) no download encrypted-password 
Clears the encrypted password for the database download server. 

#(config bluecoat) no download password 

Clears the password for the database download server. 

#(config bluecoat) no download url 

Clears the URL for the database download server. 
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#(config) content-filter 



#(config bluecoat) 



#(config bluecoat) no download username 

Clears the username for the database download server. 

#(config bluecoat) service {disable | enable} 

Enables or disables dynamic categorization. 

#(config bluecoat) service mode (background | realtime | none) 

Configures dynamic categorization to run in the background, run in real time, or to not run. 

#(config bluecoat) view 

Shows the current Blue Coat settings. 



For More Information 

□ Volume 7: Managing Content 



Example 



SGOS# (config) content- filter 

SGOS# (config content-filter) bluecoat 

SGOS# (config bluecoat) service mode background 



ok 

SGOS# (config bluecoat) exit 
SGOS# (config content-filter) exit 
SGOS# (config) 
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#(config) content-filter 



#(config i-filter) 



#(config i-filter) 

Synopsis 

Use this command to configure i-FILTER content filtering 

Syntax 

#(config) content- filter 
This changes the prompt to: 

#(config content-filter) i-filter 
This changes the prompt to: 

#(config i-filter) 

Subcommands 

#(config i-filter) dovmload all-day 
Checks for database updates all day. 

#(config i-filter) download auto 
Enables automatic database downloads. 

#(config i-filter) download between-hours start stop 
Sets the interval for automatic database update checks. 

#(config i-filter) download encrypted-password encrypted_password 
Specifies the encrypted password for the database download server. 

#(config i-filter) download get-now 
Initiates an immediate database download. 

#(config i-filter) download password password 
Specifies the password for the database download server. 

#(config i-filter) download url {default | url] 

Specifies using either the default URL or a specific URL for the database download server. 

#(config i-filter) download username username 
Specifies the username for the database download server. 

#(config i-filter) exit 

Exits configure i-filter mode and returns to configure content-filter mode. 

#(config i-filter) no download auto 
Disables automatic download. 

#(config i-filter) no download encrypted-password 

Clears the encrypted password for the database download server. 

#(config i-filter) no download password 

Clears the password for the database download server. 

#(config i-filter) no download url 

Clears the URL for the database download server. 

#(config i-filter) no download username 

Clears the username for the database download server. 

# (config i-filter) view 

Shows the current InterSafe settings. 
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#(config) content-filter 



#(config i-filter) 



For More Information 

□ Volume 7: Managing Content 

Example 

SGOS# (config) content- filter 

SGOS# (config content-filter) i-filter 

SGOS# (config i-filter) no download day-of-week mon 

ok 

SGOS# (config i-filter) no download day-of-week wed 

ok 

SGOS# (config i-filter) exit 
SGOS# (config content-filter) exit 
SGOS# (config) 
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#(config) content-filter 



#(config intersafe) 



#(config intersafe) 

Synopsis 

Use this command to configure InterSafe content filtering. 

Syntax 

#(config) content- filter 
This changes the prompt to: 

#(config content-filter) intersafe 
This changes the prompt to: 

#(config intersafe) 

Subcommands 

#(config intersafe) download all-day 
Checks for database updates all day. 

#(config intersafe) download auto 
Enables automatic database downloads. 

#(config intersafe) download between-hours start stop 
Sets the interval for automatic database update checks. 

#(config intersafe) download encrypted-password encrypted_password 
Specifies the encrypted password for the database download server. 

#(config intersafe) download get-now 
Initiates an immediate database download. 

#(config intersafe) download password password 
Specifies the password for the database download server. 

#(config intersafe) download url {default | uri} 

Specifies using either the default URL or a specific URL for the database download server. 

#(config intersafe) download username username 
Specifies the username for the database download server. 

#(config intersafe) exit 

Exits configure Intersafe mode and returns to configure content-filter mode. 

#(config intersafe) no download auto 
Disables automatic download. 

#(config intersafe) no download encrypted-password 
Clears the encrypted password for the database download server. 

#(config intersafe) no download password 

Clears the password for the database download server. 

#(config intersafe) no download url 

Clears the URL for the database download server. 

#(config intersafe) no download username 

Clears the username for the database download server. 

#(config intersafe) view 

Shows the current InterSafe settings. 
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#(config) content-filter 



#(config intersafe) 



For More Information 

□ Volume 7: Managing Content 

Example 

SGOS# (config) content- filter 

SGOS# (config content-filter) intersafe 

SGOS# (config intersafe) no download day-of-week mon 

ok 

SGOS# (config intersafe) no download day-of-week wed 

ok 

SGOS# (config intersafe) exit 
SGOS# (config content-filter) exit 
SGOS# (config) 
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#(config) content-filter 



#(config iwf) 



#(config iwf) 

Synopsis 

Use this command to configure Internet Watch Foundation content filtering. 

Syntax 

#(config) content- filter 
This changes the prompt to: 

#(config content-filter) iwf 
This changes the prompt to: 

#(config iwf) 

Subcommands 

#(config iwf) download all-day 
Checks for database updates all day. 

#(config iwf) download auto 

Enables automatic database downloads. 

#(config iwf) download between-hours start stop 

Sets the interval for automatic database update checks. 

#(config iwf) download encrypted-password encrypted_password 
Specifies the encrypted password for the database download server. 

#(config iwf) download get-now 

Initiates an immediate database download. 

#(config iwf) download password password 

(Optional) Specifies the password for the database download server. 

#(config iwf) download url {default | uri} 

Specifies using either the default URL or a specific URL for the database download server. 

#(config iwf) download username username 

Specifies the username for the database download server. 

#(config iwf) exit 

Exits configure Intersafe mode and returns to # (configure content-filter) mode. 

#(config iwf) no download auto 
Disables automatic download. 

#(config iwf) no download encrypted-password 

Clears the encrypted password for the database download server. 

#(config iwf) no download password 

Clears the password for the database download server. 

#(config iwf) no download url 

Clears the URL for the database download server. 

#(config iwf) no download username 

Clears the username for the database download server. 

#(config iwf) view 

Shows the current InterSafe settings. 
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#(config) content-filter 



#(config iwf) 



Example 

SGOS# (config content-filter) local 
SGOS# (config iwf) download day-of-week all 
ok 

SGOS# (config iwf) exit 

SGOS# (config content-filter) exit 

SGOS# (config) 
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#(config) content-filter 



#(config local) 



#(config local) 

Synopsis 

Use this command to configure local content filtering. 

Syntax 

#(config) content- filter 
This changes the prompt to: 

#(config content-filter) local 
This changes the prompt to: 

#(config local) 

Subcommands 

#(config local) clear 

Clears the local database from the system. 

#(config local) download all-day 
Checks for database updates all day. 

#(config local) download auto 

Enables automatic database downloads. 

#(config local) download between-hours start stop 

Sets the interval for automatic database update checks. 

#(config local) download encrypted-password encrypted_password 
Specifies the encrypted password for the database download server. 

#(config local) download get-now 
Initiates an immediate database download. 

#(config local) download password password 

Specifies the password for the database download server. 

#(config local) download url {default | url} 

Specifies using either the default URL or a specific URL for the database download server. 

#(config local) download username username 

Specifies the username for the database download server. 

#(config local) exit 

Exits configure local database mode and returns to configure content-filter mode. 

#(config local) no download auto 
Disables automatic download. 

#(config local) no download encrypted-password 

Clears the encrypted password for the database download server. 

#(config local) no download password 

Clears the password for the database download server. 

#(config local) no download url 

Clears the URL for the database download server. 

#(config local) no download username 

Clears the username for the database download server. 
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#(config) content-filter 



#(config local) 



#(config local) source 

Shows the database source file. 

#(config local) view 

Shows the current local database settings. 

For More Information 

□ Volume 7; Managing Content 

Example 

SGOS# (config) content- filter 
SGOS# (config content-filter) local 
SGOS# (config local) download day-of-week all 
ok 

SGOS# (config local) exit 

SGOS# (config content-filter) exit 

SGOS# (config) 
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#(config) content-filter 



#(config optenet) 



#(config optenet) 

Synopsis 

Use this command to configure Optenet content filtering. 

Syntax 

#(config) content- filter 
This changes the prompt to: 

#(config content-filter) optenet 
This changes the prompt to: 

#(config optenet) 



Subcommands 

#(config optenet) download all-day 
Checks for database updates all day. 

#(config optenet) download auto 
Enables automatic database downloads. 

#(config optenet) download between-hours start stop 
Sets the interval for automatic database update checks. 

#(config optenet) download encrypted-password encrypted_passn?ord 
Specifies the encrypted password for the database download server. 

#(config optenet) download password password 
Specifies the password for the database download server. 

#(config optenet) download url {default | uri} 

Specifies using either the default URL or a specific URL for the database download server. 

#(config optenet) download username username 
Specifies the username for the database download server. 

#(config optenet) exit 

Exits configure optenet mode and returns to configure content-filter mode. 

#(config optenet) no download auto 
Disables automatic download. 

#(config optenet) no download encrypted-password 

Clears the encrypted password for the database download server. 

#(config optenet) no download password 

Clears the password for the database download server. 

#(config optenet) no download url 

Clears the URL for the database download server. 

#(config optenet) no download username 

Clears the username for the database download server. 

#(config optenet) view 

Shows the current optenet Web Filter settings. 

For More Information 

□ Volume 7: Managing Content 
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#(config) content-filter 



#(config optenet) 



Example 

SGOS# (config) content- filter 

SGOS# (config content-filter) optenet 

SGOS# (config optenet) download time-of-day 20 

ok 

SGOS# (config optenet) exit 
SGOS# (config content-filter) exit 
SGOS# (config) 
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#(config) content-filter 



#(config proventia) 



#(config proventia) 

Synopsis 

Use this command to configure Proventia Web Filter content filtering. 

Syntax 

#(config) content- filter 
This changes the prompt to: 

#(config content-filter) proventia 
This changes the prompt to: 

#(config proventia) 



Subcommands 

#(config proventia) download all-day 
Checks for database updates all day. 

#(config proventia) download auto 
Enables automatic database downloads. 

#(config proventia) download between-hours start stop 
Sets the interval for automatic database update checks. 

#(config proventia) download encrypted-password encrypted_password 
Specifies the encrypted password for the database download server. 

#(config proventia) download get-now 
Initiates an immediate database download. 

#(config proventia) download password password 
Specifies the password for the database download server. 

#(config proventia) download url {default | uri} 

Specifies using either the default URL or a specific URL for the database download server. 

#(config proventia) download username username 
Specifies the username for the database download server. 

#(config proventia) exit 

Exits configure proventia mode and returns to configure content-filter mode. 

#(config proventia) no download auto 
Disables automatic download. 

#(config proventia) no download encrypted-password 
Clears the encrypted password for the database download server. 

#(config proventia) no download password 

Clears the password for the database download server. 

#(config proventia) no download url 

Clears the URL for the database download server. 

#(config proventia) no download username 

Clears the username for the database download server. 

#(config proventia) view 

Shows the current proventia Web Eilter settings. 
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#(config) content-filter 



#(config proventia) 



For More Information 

□ Volume 7: Managing Content 

Example 

SGOS# (config) content- filter 

SGOS# (config content-filter) proventia 
SGOS# (config proventia) download time-of-day 20 
ok 

SGOS# (config proventia) exit 
SGOS# (config content-filter) exit 
SGOS# (config) 
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#(config) content-filter 



#(config smartfilter) 



#(config smartfilter) 

Synopsis 

Use this command to configure SmartFilter filters that control the type of confenf refrieved by fhe SG 
appliance and filler requesfs made by clienfs. 

Syntax 

#(config) content- filter 
This changes fhe prompf fo: 

#(config content-filter) smartfilter 
This changes fhe prompf fo: 

#(config smartfilter) 

Subcommands 

#(config smartfilter) allow-rdns 
Allow reverse DNS for lookups. 

#(config smartfilter) dovmload all-day 
Checks for database updates all day. 

#(config smartfilter) download auto 
Enables automatic database downloads. 

#(config smartfilter) download between-hours start stop 

Sets the interval for automatic database update checks. 

#(config smartfilter) download get-now 

Initiates immediate database download. If a full download is unnecessary, an incremental download is 
initiated. 

#(config smartfilter) download license license_key 
The customer serial number assigned you by SmartFilter. 

#(config smartfilter) download server IP_address_or_hostname 

Enter the IP address or hostname of the server you should use for downloads if requested. 

#(config smartfilter) exit 

Exits configure smartfilter mode and returns to configure content-filter mode. 

#(config smartfilter) no allow-rdns 
Disallows reverse DNS for lookups. 

#(config smartfilter) no download {auto | encrypted-password | password | url | 
username} 

Negates download commands. 

#(config smartfilter) no use- search-keywords 

Disables the ability to categorize search engines based on keywords in the URL query. 

#(config smartfilter) use-search-keywords 

Allows you to categorize search engines based on keywords in the URL query. 

#(config smartfilter) view 

Shows the current SmartFilter settings. 



Volume 11: Command Line Interface Reference 



154 



#(config) content-filter 



#(config smartfilter) 



For More Information 

□ Volume 7: Managing Content 

Example 

SGOS# (config) content- filter 

SGOS# (config content-filter) smartfilter 
SGOS# (config smartfilter) allow-rdns 
ok 

SGOS# (config smartfilter) exit 
SGOS# (config content-filter) exit 
SGOS# (config) 
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#(config) content-filter 



#(config surfcontrol) 



#(config surfcontrol) 

Synopsis 

Use this command to configure SurfControl filters that control the t 5 rpe of confenf refrieved by fhe SG 
appliance and filler requesfs made by clienfs. 

Syntax 

#(config) content-filter 
This changes fhe prompf fo: 

#(config content-filter) surfcontrol 
This changes fhe prompf fo: 

#(config surfcontrol) 

Subcommands 

#(config surfcontrol) download all-day 
Checks for database updates all day. 

#(config surfcontrol) download auto 
Enables automatic database downloads. 

#(config surfcontrol) download between-hours start stop 

Sets the interval for automatic database update checks. 

#(config surfcontrol) encrypted-password encrypted-password 

Sets the download encrypted password. The username/ password is assigned by Blue Coat. 

#(config surfcontrol) download get-now 

Initiates immediate database download. If a full download is unnecessary, an incremental download is 
initiated. 

#(config surfcontrol) download license Iicense_key 
The customer serial number assigned you by SurfControl. 

#(config surfcontrol) download server IP_address_or_hostname 

Enter the IP address or hostname of the server you should use for downloads if requested. 

#(config surfcontrol) download url {default | uri} 

Specifies using either the default URL or a specific URL for the database download server. 

#(config surfcontrol) download username username 

Sets the download username. The username /password is assigned by Blue Coat. 

#(config surfcontrol) exit 

Exits configure surfcontrol mode and returns to configure content-filter mode 
#(config surfcontrol) no download (auto | encrypted-password | username | password 

I url} 

Negates download commands. 

#(config surfcontrol) view 

Shows the current SurfControl settings. 

For More Information 

□ Volume 7; Managing Content 
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#(config) content-filter 



#(config surfcontrol) 



Example 



SGOS# (config) content- filter 

SGOS# (config content-filter) surfcontrol 
SGOS# (config surfcontrol) no download url 
ok 

SGOS# (config surfcontrol) exit 
SGOS# (config content-filter) exit 
SGOS# (config) 



Chapter 3: Privileged Mode Configure Commands 



157 



#(config) content-filter 



#(config websense) 



#(config websense) 

Synopsis 

Use this command to configure Websense filters that control the type of confenf refrieved by fhe SG 
appliance and filler requesfs made by clients. 

Syntax 

#(config) content- filter 
This changes the prompt to: 

#(config content-filter) websense 
This changes the prompt to: 

#(config websense) 



Subcommands 

#(config websense) always -apply- regexes 

Forces an additional regular expression lookup for each URL to be categorized. Normally, regular expression 
lookups are only performed when no category is foimd in the Websense database. This option causes them to 
be performed always, even for categorized URLs. This can reduce lookup performance, but can allow certain 
sites (such as translation, search engine, and link-cache sites) to be categorized more accurately. 

#(config websense) download all-day 
Checks for database updates all day. 

#(config websense) download auto 
Enables automatic database downloads. 

#(config websense) download between-hours start stop 

Sets the interval for automatic database update checks. 

#(config websense) download email-contact email_address 

Specifies an e-mail address that is sent to Websense when downloading the database. 

#(config websense) download get-now 

Initiates immediate database download. If a full download is unnecessary, an incremental download is 
initiated. 

#(config websense) download license I icense_key 
Specifies the license key for the database download server. 

#(config websense) download server {ip_address \ hostname] 

Specifies the server location of the database. 

#(config websense) exit 

Exits configure websense mode and returns to configure content-filter mode. 

#(config websense) integration- service disable 
Disables the integration service. 

#(config websense) integration- service enable 
Enables the integration service. 

#(config websense) integration- service host (hostname or IP_address) 

Set the integration service hostname or IP address. The IP address must match the IP address of the 
Websense Log Server. 

#(config websense) integration- service port {integer between 0 and 65535} 
Configure the integration service port. Accepted values are between 0 and 65535. 
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#(config) content-filter 



#(config websense) 



#(config websense) log-forwarded-client-address 

Allows you to log the X-Forwarded-For header (if present and a parseable IP address) in the 
Websense Reporter log. 

#(config websense) no always-apply-regexes 

Specifies to not apply regular expression filters to categorized URLs. 

#(config websense) no download {auto | email-contact | license | server} 

Clears the download parameters. 

#(config websense) no integration-service (host | port} 

Clears the integration-service host or port. 

#(config websense) no log-forwarded-client-address 

Disables logging the X-Forwarded-For header in the Websense Reporter log. 

#(config websense) view 

Shows the current Websense settings. 

For More Information 

□ Volume 7: Managing Content 



Example 



SGOS# (config) content- filter 
SGOS# (config content-filter) websense 
SGOS# (config websense) no always-apply-regexes 
ok 



SGOS# (config websense) exit 
SGOS# (config content-filter) exit 
SGOS# (config) 
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#(config) content-filter 



#(config webwasher) 



#(config webwasher) 

Synopsis 

Use this command to configure Webwasher URL Filter content filtering. 

Syntax 

#(config) content- filter 
This changes the prompt to: 

#(config content-filter) webwasher 
This changes the prompt to: 

#(config webwasher) 



Subcommands 

#(config webwasher) download all-day 
Checks for database updates all day. 

#(config webwasher) download auto 
Enables automatic database downloads. 

#(config webwasher) download between-hours start stop 

Sets the interval for automatic database update checks. 

#(config webwasher) download encrypted-password encrypted_password 
Specifies the encrypted password for the database download server. 

#(config webwasher) download get-now 

Initiates an immediate database download. If a full download is unnecessary, an incremental download 
is initiated. 

#(config webwasher) download password password 
Specifies the password for the database download server. 

#(config webwasher) download url {default | url] 

Specifies using either the default URL or a specific URL for the database download server. 

#(config webwasher) download username username 
Specifies the username for the database download server. 

#(config webwasher) exit 

Exits configure webwasher mode and returns to configure content-filter mode. 

#(config webwasher) no download auto 
Disables automatic download. 

#(config webwasher) no download encrypted-password 
Clears the encrypted password for the database download server. 

#(config webwasher) no download password 

Clears the password for the database download server. 

#(config webwasher) no download url 

Clears the URL for the database download server. 

#(config webwasher) no download username 

Clears the username for the database download server. 

#(config webwasher) view 

Shows the current webwasher Web Eilter settings. 
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#(config) content-filter 



#(config webwasher) 



For More Information 

□ Volume 7: Managing Content 

Example 

SGOS# (config) content- filter 

SGOS# (config content-filter) webwasher 
SGOS# (config webwasher) download time-of-day 20 
ok 

SGOS# (config webwasher) exit 
SGOS# (config content-filter) exit 
SGOS# (config) 
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#(config)connection-forwarding 



#(config) connection-forwarding 



#(config) connection-forwarding 



Synopsis 

This command enables you to configure the TCP Connection Forwarding aspect of ADN transparent 
tunnel load balancing and asymmetric routing. 



Syntax 

#(config) connection- forwarding 
This changes the prompt to: 

#(config connection- forwarding) 



Subcommands 

SGOS# (config connection forwarding) add ip_address 
Add this SG appliance to a connection forwarding peer group. 

SGOS# (config connection forwarding) port number 

Specify the port used by all peers in the peer group to communicate connection information (each peer in 
the group must use the same port number). The default is 3030. 

SGOS# (config connection forwarding) [enable | disable] 

Enables or disables connection forwarding on this SG appliance. 

SGOS# (config connection forwarding) clear 

Clear the list of forwarding peers from this SG appliance. 

SGOS# (config connection forwarding) exit 

Exits (config connection forwarding) mode and returns to # (config) mode. 

SGOS# (config connection forwarding) view 
View the TCP cormection forwarding information. 

For More Information 

Volume 5: Advanced Networking 

Example 

SGOS# (config) connection- forwarding 

SGOS# (connection-forwarding) add 10.9.59.100 
ok 

SGOS# (config connection- forwarding) port 3030 
ok 

SGOS# (config connection- forwarding) enable 
ok 
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#(config) diagnostics 



#(config) diagnostics 



#(config) diagnostics 

Synopsis 

This command enables you to configure the remote diagnostic feature Heartbeat. 

Syntax 

#(config) diagnostics 
This changes the prompt to: 

#(config diagnostics) 



Subcommands 

#(config diagnostics) cpu-monitor {disable | enable} 

Enables or disables the CPU monitor (the CPU monitor is disabled by default). 

#(config diagnostics) cpu-monitor interval seconds 

Sets the periodic interval of the CPU monitor from 1 to 59 seconds (the default setting is 5 seconds). 

#(config diagnostics) exit 

Exits # (config diagnostics) mode and returns to # (config) mode. 

#(config diagnostics) heartbeat (disable | enable} 

Enables or disables the SG appliance Heartbeat features. 

# (config diagnostics) monitor (disable | enable} 

Enables or disables the Blue Coat monitoring feature. 

# (config diagnostics) send-heartbeat 
Triggers a heartbeat report. 

# (config diagnostics) service-info 

Changes the prompt (see # (config service-info) on page 165) 

# (config diagnostics) snapshot (create | delete} snapshot_name 
Creates or deletes a snapshot job. 

# (config diagnostics) edit snapshot_name 

Changes the prompt to # (config snapshot snapshotname) on page 167) 

# (config diagnostics) view configuration 

Displays diagnostics settings for Heartbeats, CPU monitor, automatic service-info, and snapshots. 

# (config diagnostics) view cpu-monitor 
Displays the CPU Monitor results. 

# (config diagnostics) view service-info 
Displays service-info settings and progress. 

# (config diagnostics) view snapshot snapshot_name 

Displays the snapshot settings (target, status, interval, to keep, to take, and next snapshot) for the 
snapshot name specified. 



For More Information 

□ Volume 10: Managing the Blue Coat SG Appliance 
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#(config) diagnostics 



#(config) diagnostics 



Example 

SGOS# (config) diagnostics 

SGOS# (config diagnostics) heartbeat enable 
ok 

SGOS# (config diagnostics) exit 
SGOS# (config) 
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#(config) diagnostics 



#(config service-info) 



#(config service-info) 

Synopsis 

This command allows you to send service information to Blue Coat. 

Syntax 

#(config) diagnostics 
This changes the prompt to: 

#(config diagnostics) service-info 
This changes the prompt to: 

#(config service-info) 

Subcommands 

# (diagnostics service-info) auto {disable | enable} 

Disables or enables the automatic service information feature. 

# (diagnostics service-info) auto no sr-number 

Clears the service-request number for the automatic service information feature. 

# (diagnostics service-info) auto sr-number sr_number 

Sets the service-request number for the automatic service information feature. 

# (diagnostics service-info) bandwidth- class bw_class_name 

Sets a bandwidth class used to manage the bandwidth of service-information transfers. 

In order fo do bandwidfh-manage service-information fransfers, bandwidfh managemenf 
musf be enabled. You musf also creafe a bandwidfh class for service-informafion fransfers (in 
bandwidfh-managemenf mode) before you can selecf if here. 

# (diagnostics service-info) cancel all 

Cancel all service information being sent to Blue Coat. 

# (diagnostics service-info) cancel one_or_more_from_view_status 
Cancel certain service information being sent to Blue Coat. 

# (diagnostics service-info) exit 

Exits # (config diagnostics service-info) mode and returns to # (config diagnostics) 
mode. 

# (diagnostics service-info) no bandwidth-class 

Disables bandwidth-management for service-information transfers 

# (diagnostics service-info) send sr_number 
one_or_more_commands_from_view_ava liable 

Sends a specific service request number along with a specific command or commands (chosen from the 
list provided by the view available command) to Blue Coat. 

# (diagnostics service-info) view available 

Shows list of service information than can be sent to Blue Coat. 

# (diagnostics service-info) view status 

Shows transfer status of service information to Blue Coat. 
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#(config) diagnostics 



#(config service-info) 



For More Information 

□ #(config) bandwidth-management on page 117 

□ Volume 10: Managing the Blue Coat SG Appliance 



Example 

SGOS# (config) diagnostics 

SGOS# (config diagnostics) service-info 

SGOS# (diagnostics service-info) view available 

Service information that can be sent to Blue Coat 



Name 

Event_log 

System_inf ormation 

Snapshot_sysinfo 

Snapshot_sys inf o_s tats 

SGOS# (diagnostics service-info) 

snapshot_sysinfo 

Sending the following reports 

Event_log 

System_inf ormation 

Snapshot_sysinfo 

SGOS# (diagnostics service-info) 

Name 

Event_log 

Snapshot_sysinfo 

Event_log 

System_inf ormation 
SGOS# (diagnostics service-info) 
SGOS# (config diagnostics) exit 
SGOS# (config) 



Approx Size (bytes) 

188,416 

Unknown 

Unknown 

Unknown 

send 1-4974446 event_log system_inf ormation 



view status 

Transferred 

Transferred 

Transferred 

Transferred 

Transferred 

exit 



successfully 

successfully 

successfully 

successfully 
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#(config) diagnostics 



#(config snapshot snapshot_name) 



#(config snapshot snapshot_name) 

Synopsis 

This command allows you to edit a snapshot job. 

Syntax 

#(config) diagnostics 

This changes the prompt to: 

#(config diagnostics) snapshot edit snapshot_name 

This changes the prompt to: 

#(config snapshot snapshot_name) 

Subcommands 

#(config snapshot snapshot_name) dear-reports 
Clears all stored snapshots reports. 

#(config snapshot snapshot_name) {disable | enable} 

Disables or enables this snapshot job. 

#(config snapshot snapshot_name) exit 

Exits # (config diagnostics snapshot_name) mode and returns to # (config diagnostics 
service-info) mode. 

# (config snapshot snapshot_name) interval minutes 

Specifies the interval between snapshots reports in minutes. 

# (config snapshot snapshot_name) keep number_to_keep (from 1 - 100) 

Specifies the number of snapshot reports to keep. 

# (config snapshot snapshot_name) take {infinite | number_to_take} 

Specifies the number of snapshot reports to take. 

# (config snapshot snapshot_name) targst obj ect_to_f etch 

Specifies the object to snapshot. 

# (config snapshot snapshot_name) view 
Displays snapshot status and configuration. 

For More Information 

□ Volume 10: Managing the Blue Coat SG Appliance 

Example 

SGOS# (config) diagnostics 

SGOS# (config diagnostics) snapshot testshot 
SGOS# (diagnostics snapshot testshot) enable 
ok 

SGOS# (diagnostics service-info) interval 1440 
ok 

SGOS# (diagnostics snapshot testshot) exit 
SGOS# (config diagnostics) exit 
SGOS# (config) 
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#(config) dns 



#(config) dns 



#(config) dns 

Synopsis 

The dns command enables you to modify the DNS settings for the SG appliance. Note that the 
alternate DNS servers are only checked if the servers in the standard DNS list return: "Name not 
found." 

Syntax 

#(config) dns [subcommands] 

Subcommands 

#(config) dns alternate ip_address 

Adds the new alternate domain name server indicated by ip_address to the alternate DNS server list. 

#(config) dns clear alternate 

Sets all entries in the alternate DNS server list to null. 

#(config) dns clear imputing 

Sets all entries in the name imputing list to null. 

#(config) dns client-affinity {disable | enable} 

Enable or disable client-affinity. 

When enabled, requests from the same client resolve the hostname in the same order. 
www.google.com resolves to 66.102.7.99, 66.102.7.147, and 66.102.7.104. If client-affinity is enabled and 
the SG appliance receives a request (http, streaming or other proxy request) for www.google.com, it uses 
the client's IP address to determine the order of the resolved addresses. If client-affinity is disabled, the 
order of the resolved addresses changed each time the SG appliance receives a request. 

#(config) dns clear server 

Sets all entries in the primary DNS server list to null. 

#(config) dns imputing name 

Identifies the file indicated by name as the name imputing list. 

#(config) dns negative-cache-ttl-override seconds 
Set the DNS negative cache time-to-live value for seconds. 

A DNS request to an unknown domain name (klauwjdasd.bluecaot.com) is cached by the SG appliance. 
This type of caching is called a negative cache because it does not resolve to an actual IP address. The 
TTL value for a negative cache entry can be overwritten by this command. 

#(config) dns no alternate ip_address 

Removes the alternate DNS server identified by ip_address from the alternate DNS server list. 

#(config) dns no imputing imputed_name 

Removes the imputed name identified by imputed_name from the name imputing list. 

#(config) dns no negative-cache-ttl-override 

Do not override the negative cache time-to-live value. 

#(config) dns no server ip_address 

Removes the primary DNS server identified by ip_address from the primary DNS server list. 
#(config) dns server ip_address 

Adds the new primary domain name server indicated by ip_address to the primary DNS server list. 

For More Information 

□ Volume 1: Getting started 
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#(config) dns 



#(config) dns 



Example 



SGOS# (conf ig) 


dns 


ok 




SGOS# (conf ig) 


dns 


ok 




SGOS# (conf ig) 


dns 


ok 




SGOS# (config) 


dns 


ok 





clear server 
server 10.253.220.249 
clear alternate 
alternate 216.52.23.101 
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#(config) event-log 



#(config) event-log 



#(config) event-log 

Synopsis 

You can configure the SG appliance to log system events as they occur. Event logging allows you to 
specify the t5^es of system events logged, the size of the event log, and to configure Syslog 
monitoring. The SG appliance can also notify you by e-mail if an event is logged. 

Syntax 

#(config) event-log 
This changes the prompt to: 

# ( conf ig event - log ) 



Subcommands 

#(config event-log) exit 

Exits # (conf ig event-log) mode and returns to # (conf ig) mode. 

#(config event-log) level configuration 

Writes severe and configuration change error messages to the event log. 

#(config event-log) level informational 

Writes severe, configuration change, policy event, and information error messages to the event log. 

#(config event-log) level policy 

Writes severe, configuration change, and policy event error messages to the event log. 

#(config event-log) level severe 

Writes only severe error messages to the event log. 

#(config event-log) level verbose 
Writes all error messages to the event log. 

#(config event-log) log- size megabytes 

Specifies the maximum size of the event log in megabytes. 

#(config event-log) mail add email_address 
Specifies an e-mail recipient for the event log output. 

#(config event-log) mail clear 

Removes all e-mail recipients from the event log e-mail output distribution list. 

#(config event-log) mail no smtp-gateway 
Clears the SMTP gateway used for notifications. 

#(config event-log) mail remove email_address 

Removes the e-mail recipient indicated by email_address from the event log e-mail output 
distribution list. 

#(config event-log) mail smtp-gateway {domain_name \ ip_address] 

Specifies the SMTP gateway to use for event log e-mail output notifications. 

#(config event-log) syslog {disable | enable} 

Disables the collection of system log messages. 

#(config event-log) syslog facility {auth | daemon | kernel | localO | locall | 
local2 I locals | local4 | locals | locals | local? | Ipr | mail | news | 
syslog I user | uucpj 

Specifies the types of system log messages to be collected in the system log. 

#(config event-log) syslog loghos t { domain_name | ip_address] 

Specifies the host domain used for system log notifications. 
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#(config) event-log 



#(config) event-log 



#(config event-log) syslog no loghost 

#(config event-log) view [configuration] [start [YYYY-mm-dd] [HH:MM:SS]] [end 
[YYYY-inm-dd] [HH:MM:SS]] [regex rege-x | substring string] 

View the event-log configuration, using the #(config event-log) configuration command, or view the 
contents of the event-log, using the filters offered to narrow the view. 

#(config event-log) when- full {overwrite | stop} 

Specifies what should happen to the event log when the maximum size has been reached, overwrite 
overwrites the oldest information in a FIFO manner; stop disables event logging. 



For More Information 

□ Volume 10: Managing the Blue Coat SG Appliance 

Example 

SGOS# (config) event-log 
SGOS# (config event -log) syslog enable 
ok 
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#(config) exceptions 



#(config) exceptions 



#(config) exceptions 

Synopsis 

These commands allow you to configure built-in and user-defined exception response objects. 

Syntax 

#(config) exceptions 
This changes the prompt to: 

#(config exceptions) 



Subcommands 

#(config exceptions) create exception_id 
Creates the given exception. 

#(config exceptions) company-name name 

Sets the name used for the $(exception.company_name) substitution. 

#(config exceptions) delete exception_id 
Deletes the exception specified by exception_id. 

#(config exceptions) edit exception_id or user_defined_exception_id 

Changes the prompt to # (config exceptions [user-defined. ] exceptionid) on page 
173 . 

# (config exceptions) exit 

Exits # (config exceptions) mode and returns to # (config) mode. 

# (config exceptions) inline {contact | details | format | help | http (contact | 
details | format | help | summary} | siommary) eof_marker 
Configures defaults for all exception objects. 

# (config exceptions) load exceptions 
Downloads new exceptions. 

# (config exceptions) no path 

Clears the network path to download exceptions. 

# (config exceptions) path uri 

Specifies the network path to download exceptions. 

# (config exceptions) user-defined inline (contact | details | format | help | 
http (contact | details | format | help | summary} | summary} eof_marker 
Configures the top-level values for user-defined exceptions. 



For More Information 

□ Volume 6: VPM and Advanced Policy 

Example 

SGOS# (config) exceptions 

SGOS# (config exceptions) default contact 
ok 

SGOS# (config exceptions) exit 
SGOS# (config) 
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#(config) exceptions 



#(config exceptions [user-defined.]exception_id) 



#(config exceptions [user-def\ned.]exception_id) 

Synopsis 

These commands allow you to edit an exception or a user-defined exception. 

Syntax 

#(config) exceptions 

This changes the prompt to: 

#(config exceptions) user_defined_exception_id 

This changes the prompt to: 

#(config exceptions user_defined_exception_id) 

Subcommands 

#(config exceptions [user-defined. ] exception_id) exit 

Exits # (config exceptions [user-defined] exception_id) mode and returns to # (config 
exceptions) mode. 

# (config exceptions [user-defined. ] exception_id) http-code 
numeric_http_response_code 
Configures this exception’s HTTP response code. 

# (config exceptions [user-defined. ] exception_id) inline {contact | details | 

format | help | http (contact | details | format | help | summary} | summary} 

eof_marker 

Configures this exception's substitution values. 



For More Information 

□ Volume 6: VPM and Advanced Policy 

Example 

SGOS# (config) exceptions 

SGOS# (config exceptions) edit testname 

SGOS# (config exceptions user-defined testname) http-code 000 
ok 

SGOS# (config exceptions user-defined testname) exit 
SGOS# (config exceptions) exit 
SGOS# (config) 
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#(config) exit 



#(config) exit 



#(config) exit 

Synopsis 

Exits from Configuration mode to Privileged mode, from Privileged mode to Standard mode. From 
Standard mode, the exit command closes the CLI session. 

Syntax 

#(config) exit 

The exit command has no parameters or subcommands. 
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#(config) external-services 



#(config) external-services 



#(config) external-services 

Synopsis 

These commands allow you to configure your external services. 

Use the edit ICAP commands to configure the ICAP service used to integrate the SG appliance with a 
virus scarming server. The configuration is specific to the virus scarming server and includes the server 
IP address, as well as the supported number of connections. If you are using the SG appliance with 
multiple virus scanning servers or multiple scarming services on the same server, add an ICAP service 
for each server or scarming service. 



Note: When you define virus scanning policies, use the same service name. Make sure you type the 

ICAP service name accurately, whether you are configuring the service on the SG appliance or 
defining policies, since the name retrieves the other configuration settings for that service. 



Syntax 

#(config) external -services 
This changes the prompt to: 

#(config external-services) 



Subcommands 

#(config external - services ) create Leap icap_service_name 
Creates an ICAP service. 

#(config external-services) create service-group service_group_name 
Creates a service group. 

#(config external - services ) create websansB websense_service_name 
Creates a Websense service. 

#(config external - services ) delete name 
Deletes an external service. 



#(config external - services ) edit 

Changes the prompt to one of three external service edit commands: 

#(config leap icap_service_name) on page 177 

#(config service-group service_group_name) on page 179 

#(config websense websense_service_name) on page 181 

#(config external-services) exit 

Exits # (config external-services) mode and returns to # (config) mode. 

#(config external-services) inline http { icap-patience-details | 

icap-patience-header | icap-patience-help | icap-patience-summary} 

Customizes ICAP patience page details for HTTP connections. 

# (config external - services ) icap feedback interactive patience-page {seconds} 
For traffic associated with a Web browser, display a patience page after the specified duration. 
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#(config) external-services 



#(config) external-services 



#(config external - services ) leap feedback {interactive | non- interactive) 
(trickle-start | trickle-end | none} {seconds} 

For interactive traffic (associated with a Web browser) or non-traffic (originating from a client other than 
a Web browser), employ a data trickling method so the user receives a small amount (trickle-start) or 
large amount (trickle-end) of object data while waiting for the results of the content scan (ICAP). Begin 
trickling after the specified duration. 

#(config external - services ) inline ftp icap-patience-details 
Customizes ICAP patience page details for FTP connections. 

#(config external - services ) view 

Shows external services and external service groups. 



For More Information 

□ Volume 7: Managing Content 



Example 

SGOS# (config) external -services 

SGOS# (config external-services) 
ok 

SGOS# (config external-services) 
SGOS# (config) 



create websense testwebsense 



exit 
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#(config) external-services 



#(config leap icap_service_name) 



#(config icap icap_service_name) 

Synopsis 

These commands allow you to edit ICAP parameters. 

Syntax 

#(config) external -services 
This changes the prompt to: 

#(config external - services ) create icap icap_service_name 
#(config external-services) edit icap_service_name 
This changes the prompt to: 

#(config icap icap_service_name) 

Subcommands 

#(config icap icap_service_name) exit 

Exits # (config ICAP name) mode and returns to # (config external -services) mode. 

#(config icap icap_service_name) max-conn max_num_connections 
Sets the maximum number of connections for the ICAP service. 

# (config icap icap_service_name) methods {reQMOD | RESPMOD} 

Sets the method supported by the ICAP service. REQMOD is request modification and RESPMOD is 
response modification. 

# (config icap icap_service_name) no send {client-address | server-address} 

Specifies what should not be sent to the ICAP server. 

# (config icap icap_service_name) no notify virus-detected 

Specifies no notification to the administrator when a virus is detected. 

# (config icap icap_service_name) no patience-page 
Specifies that patience pages do not get served. 

# (config icap icap_service_name) no preview 

Specifies that previews do not get sent. 

# (config icap icap_service_name) notify virus-detected 
Specifies notification when viruses are found. 

# (config icap icap_service_name) patience-page seconds 

Sets the number of seconds (5 to 65535) to wait before serving a patience page. 

# (config icap icap_service_name) preview-size bytes 

Sets the preview size for the ICAP service. 

# (config icap icap_service_name) send client-address 
Specifies that the client address be sent to the ICAP service. 

# (config icap icap_service_name) send server-address 
Specifies that the server address be sent to the ICAP service. 

# (config icap icap_service_name) sense-settings 
Senses the service's setting by contacting the server. 

# (config icap icap_service_name) timeout seconds 

Sets the connection timeout for the ICAP services. 

# (config icap icap_service_name) url uri 
Sets the URL for the ICAP services. 
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#(config) external-services 



#(config leap icap_service_name) 



#(config icap icap_service_name) view 
Displays the service's current configuration. 

For More Information 

□ Volume 7: Managing Content 

Example 

SGOS# (config) external -services 

SGOS# (config external-services) edit testicap 
SGOS# (config icap testicap) send client-address 
ok 

SGOS# (config icap testicap) exit 
SGOS# (config external-services) exit 
SGOS# (config) 
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#(config) external-services 



#(config service-group service_group_name) 



#(config service-group service_group_name) 

Synopsis 

These commands allow you to edit service group parameters. 

Syntax 

#(config) external -services 

This changes the prompt to: 

#(config external - services ) create service-group service_group_name 
#(config external-services) edit service_group_name 
This changes the prompt to: 

#(config service-group service_group_name) 



Subcommands 

#(config service-group service_group_name) add entry_name 
Adds an entry to this service group. 

#(config service-group service_group_nafne) edit entry_name 

Changes the prompt to #(config service-group service_group_name entry_name) . 

#{config service-group service_group_name entry_name) exit 

Exits # (config service-group name/entry name) mode and returns to # (config 
service-group name) mode. 

# (config service-group service_group_name entry_name) view 
Shows this entry's configuration. 

# (config service-group service_group_name entry_name) weight 0 to 255 
Modifies this entry's weight. 

# (config service-group service_group_name) exit 

Exits # (config service -group_name) mode and returns to #(config external -services) 
mode. 

# (config service-group service_group_name) view 
Displays this service group's configuration. 



For More Information 

□ Volume 7; Managing Content 

Examples 

SGOS# (config) external -services 

SGOS# (config external-services) edit testgroup 
SGOS# (config service-group testgroup) add testentry 
ok 

SGOS# (config service-group testgroup) exit 
SGOS# (config external-services) exit 
SGOS# (config) 
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#(config) external-services 



#(config service-group service_group_name) 



SGOS# (config) external -services 

SGOS# (config external-services) edit testgroup 
SGOS# (config service-group testgroup) edit testentry 
SGOS# (config service-group testgroup testentry) weight 223 
ok 

SGOS# (config service-group testgroup testentry) exit 
SGOS# (config service-group testgroup) exit 
SGOS# (config external-services) exit 
SGOS# (config) 
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#(config) external-services 



#(config websense websense_service_name) 



#(config websense websense_service_name) 

Synopsis 

These commands allow you to edit Websense parameters. 

Syntax 

#(config) external -services 
This changes the prompt to: 

#(config external - services ) create websense websense_service_name 
#(config external-services) edit websense_service_name 
This changes the prompt to: 

#(config websense websense_service_name) 



Subcommands 



#(config websense websense_service_name) apply-by-def ault 
Applies Websense by default. 

#(config websense websense_service_name) exit 

Exits # (conf ig websense websense_service_name) mode and returns to # (conf ig 
external -services) mode. 

#(config websense websense_service_name) fail-open 
Fail open if service is applied by default. 

#(config websense websense_service_name) host hostname 
Remote Websense hostname or IP address. 



#(config websense websense_service_name) 

#(config websense websense_service_name) 
Does not apply service by default. 

#(config websense websense_service_name) 
Fail closed if service is applied by default. 

#(config websense websense_service_name) 
Negates send options. 

#(config websense websense_service_name) 
Serves Websense message when content is blocked. 

#(config websense websense_service_name) 
Port number of remote Websense server. 



connections 



send {client-address | client-info} 
serve -except ion -page 
port port 



max-conn max_num 

Specifies the maximum number of concurrent cormections 

no apply-by-default 

no fail -open 
no 
no 



#(config websense websense_service_name) send client-address 
Sends the client address to the Websense server. 



#(config websense websense_service_name) send client-info 
Sends the client information to the Websense server. 



#(config websense websense_service_name) sense-categories 
Sense categories configured on the Websense server. 

#(config websense websense_service_name) serve-exception-page 
Serves built-in exception page when content is blocked. 

#(config websense websense_service_name) test-url uri 
Tests a url against the Websense server. 
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#(config) external-services 



#(config websense websense_service_name) 



#(config websense wehsense_service_name) timeout seconds 
Sets the receive timeout in seconds. 

#(config websense websense_service_name) version {4.3 | 4.4} 
Sets the version of the Websense server. 



#(config websense websense_service_name) view 
Displays the service's current configuration. 



For More Information 

□ Volume 7: Managing Content 

Example 

SGOS# (config) external -services 

SGOS# (config external-services) edit testwebsense 
SGOS# (config websense testwebsense) send client-address 
ok 

SGOS# (config websense testwebsense) exit 
SGOS# (config external-services) exit 
SGOS# (config) 
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#(config) failover 



#(config) failover 



#(config) failover 

Synopsis 

These commands allow you to configure redundancy into your network. 

Syntax 

#(config) failover 
This changes the prompt to: 

#(config failover) 

Subcommands 

#(config failover) create group _addr ess 
Creates a failover group. 

#(config failover) delete group_address 
Deletes a failover group. 

#(config failover) edit group_address 

Changes the prompt to # (conf ig failover group_address). 

#(config failover group_address) {disable | enable} 

Disables or enables failover group indicated by group_address . 

#(config failover group_address) encrypted- secret encrypted_secret 

(Optional but recommended) Refers to an encrypted password shared only with the group. 

#(config failover group_address) exit 

Exits # (config failover group_address) mode and returns to #( conf ig failover) 
mode. 

# (config failover group_address) interval intervaI_in_seconds 

(Optional) Refers to the time between advertisements from the master to the multicast address. The 
default is 40 seconds. 

# (config failover group_address) master 

Defines the current system as the master and all other systems as slaves. 

# (config failover group_address) multicast-address multicast_address 

Refers to a multicast address where the master sends the keepalives (advertisements) to the slave 
systems. 

# (config failover group_address) no interval 
Resets the interval to the default value (40 seconds). 

# (config failover group_address) no multicast-address 
Removes the multicast address from the failover group. 

# (config failover group_address) no master 
Removes as configured master. 

# (config failover group_address) no priority 
Resets the priority to the default value (100). 

# (config failover group_address) no secret 
Clears the secret from the failover group. 

# (config failover group_address) priority reIative_priority 

(Optional) Refers to the rank of slave systems. The range is from 1 to 253. (The master system, the 
one whose IP address matches the group address, gets 254.) 



Chapter 3: Privileged Mode Configure Commands 



183 



#(config) failover 



#(config) failover 



#(config failover group_address) secret secret 

(Optional but recommended) Refers to a password shared only with the group. You can create a 
secret, which is then hashed. 

# (config failover group_address) view 

Shows the current settings for the failover group indicated by group_address . 

# (config failover) exit 

Exits # (config failover) mode and returns to # (config) mode. 

# (config failover) view {configuration [group_address \ <Enter>] | statistics} 
View the configuration of a group or all groups or view all statistics. 

For More Information 

□ Volume 5: Advanced Networking 

Examples 

SGOS# (config) failover 

SGOS# (config failover) create 10.9.17.135 
ok 

SGOS# (config failover) exit 
SGOS# (config) 

SGOS# (config) failover 

SGOS# (config failover) edit 10.9.17.135 
SGOS# (config failover 10.9.17.135) master 
ok 

SGOS# (config failover 10.9.17.135) exit 
SGOS# (config failover) exit 
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#(config) forwarding 



#(config) forwarding 



#(config) forwarding 

Synopsis 

Configures forwarding of confenf requesfs fo defined hosfs and groups fhrough policy. 

Syntax 

#(config) forwarding 

This changes fhe prompf fo: 

#(config forwarding) 



Subcommands 

#(config forwarding) createhost host_alias host_name [http [=port] [https [=port] ] 
[ftp[=port]] [mms [=port] ] [rtsp [=port] ] [top [=port] ] [telnet [=port] ] 
[ssl-verify-server [=yes | =no] ] [group=group_name] [server | proxy] 

#(config forwarding) create group group_name 

Creates a forwarding host/group. The only required entries under the create option (for a host) are 
host_alias, host_name, a protocol, and a port number. The port number can be defined explicitly 
(i.e., http=8080), or it can take on the default port value of the protocol, if one exists (i.e., enter http, 
and the default port value of 8 0 is entered automatically). 

To create a host group, you must also include the group=group_name command. If fhis is 
fhe firsf mention of fhe group, group_name, fhen fhaf group is aufomafically creafed wifh fhis 
hosf as ifs firsf member. Do nof use fhis command when creafing an independenf hosf. 

#(config forwarding) delete all 
Deletes all forwarding hosts and groups. 

#(config forwarding) delete group group_name 
Deletes only the group identified by group_name. 

#(config forwarding) delete host host_alias 
Deletes only the host identified hy host_alias. 

#(config forwarding) download-via- forwarding {disable | enable} 

Disables or enables configuration file downloading using forwarding. 

#(config forwarding) edit host_or_group_alias 
Changes the prompt to: 

• #(config forwarding group_alias) on page 188 

• #(config forwarding host alias) on page 190 
#(config forwarding) exit 

Exits # (config forwarding) mode and returns to # (con fig) mode. 

#(config forwarding) failure-mode (closed | open} 

Sets the default forwarding failure mode to closed or open. 

# (config forwarding) host-affinity http method (accelerator-cookie 

[host_or_group_alias] \ client- ip-address [host_or_group_alias] \ default 
[host_or_group_alias] \ none [host_or_group_alias] } 

Selects a host affinity method for HTTP. If a host or group alias is not specified for the 
accelerator- cookie, client - ip -address, or none options, the global default is used. Use the 
default option to specify default configurations for all the settings for a specified host or group. 
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#(config) forwarding 



#(config) forwarding 



#(config forwarding) host-affinity ssl-method {accelerator-cookie 

[host_or_group_alias] \ client- ip-address [host_or_group_alias] \ default 
[host_or_group_alias] \ none [host_or_group_alias] \ ssl-session-id 
[host_or_group_alias ] } 

Selects a host affinity method for SSL. If a host or group alias is not specified for the 
accelerator-cookie, client-ip-address, none, or ssl-session-id options, the global 
default is used. Use the default option to specify default configurations for all the settings for a 
specified host or group. 

#(config forwarding) host-affinity other method (client-ip-address 

[host_or_group_alias] \ default [host_or_group_alias] \ none 
[host_or_group_alias ] } 

Selects a host affinity method (non-HTTP or non-SSL). If a host or group alias is not specified for the 
client-ip-address, or none options, the global default is used. Use the default option to specify 
default configurations for all the settings for a specified host or group. 

#(config forwarding) host-affinity timeout minutes 
Sets the timeout in minutes for the host affinity. 

#(config forwarding) integrated-host-timeout minutes 
Sets the timeout for aging out unused integrated hosts. 

#(config forwarding) load-balance (default [group_alias] \ domain-hash 

lgroup_alias] \ least-connections [group_alias'i | none [group_alias] \ 
round-robin [group_alias] \ url [group_alias ] } 

Sets if and how load balancing hashes between group members. If a group alias is not specified for the 
domain -hash, least -connect ions, round- rob in, url, or none options, the global default is used. 
Use the default option to specify default configurations for all the settings for a specified group. 

#(config forwarding) load-balance method (default [host_alias] \ 

least-connections [host_alias] \ none [host_alias] \ round-robin 

[host_alias ] } 

Sets the load balancing method. If a host alias is not specified for the least -connect ions, 
round- robin, or none options, the global default is used. Use the default option to specify default 
configurations for all the settings for a specified host. 

#(config forwarding) no path 
Negates certain forwarding settings. 

#(config forwarding) path url 

Sets the network path to download forwarding settings. 

#(config forwarding) sequence add host_or_group_alias 
Adds an alias to the end of the default failover sequence. 

#(config forwarding) sequence clear 
Clears the default failover sequence. 

#(config forwarding) sequence demote host_or_group_alias 

Demotes an alias one place towards the end of the default failover sequence. 

#(config forwarding) sequence promote host_or_group_alias 

Promotes an alias one place towards the start of the default failover sequence. 

#(config forwarding) sequence remove host_or_group_alias 
Removes an alias from the default failover sequence. 

#(config forwarding) view 

Displays the currently defined forwarding groups or hosts. 



For More Information 

□ Volume 5: Advanced Networking 
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#(config) forwarding 



#(config) forwarding 



Example 

SGOS# (config) forwarding 

SGOS# (config forwarding) download-via- forwarding disable 

ok 

SGOS# (config forwarding) failure-mode closed 
ok 

SGOS# (config forwarding) host-affinity method client- ip-address 

ok 

SGOS# (config forwarding) load-balance hash domain group_namel 

ok 

SGOS# (config forwarding) exit 
SGOS# (config) 
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#(config) forwarding 



#(config forwarding group_alias) 



#(config forwarding group_alias) 

Synopsis 

These commands allow you to edit the settings of a specific forwarding group. 

Syntax 

#(config) forwarding 

This changes fhe prompf fo: 

#(config forwarding) create host_alias hostname protocol=port gro\ip=group_alias 
#(config forwarding) edit group_alias 
This changes fhe prompf fo: 

#(config forwarding group_alias) 

Subcommands 

#(config forwarding group_alias) add 
Adds a new group. 

#(config forwarding group_alias) exit 

Exits # (config forwarding group_alias) mode and returns to #(config forwarding) 
mode. 

# (config forwarding group_alias) host-affinity http {accelerator-cookie | 
client-ip-address | default | none} 

Changes the host affinity method (non-SSL) for this group. 

# (config forwarding group_alias) host-affinity other (client-ip-address | 
default I none) 

Changes the other host affinity method for this group. 

# (config forwarding group_alias) host-affinity ssl (accelerator-cookie | 
client-ip-address | default | ssl-session-id | none} 

Changes the host affinity method (SSL) for this group. 

# (config forwarding group_alias) load-balance method (default | domain-hash | 
least-connections | none | round-robin | url-hash} 

Changes the load balancing method. 

# (config forwarding group_alias) remove 
Removes an existing group. 

# (config forwarding group_alias) view 

Shows the current settings for this forwarding group. 

For More Information 

□ Volume 5: Advanced Networking 
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#(config) forwarding 



#(config forwarding group_alias) 



Example 

SGOS# (config) forwarding 

SGOS# (config forwarding) edit test_group 

SGOS# (config forwarding test_group) load-balance hash domain 
ok 

SGOS# (config forwarding test_group) exit 
SGOS# (config forwarding) exit 
SGOS# (config) 
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#(config) forwarding 



#(config forwarding host_alias) 



#(config forwarding hostjaUas) 

Synopsis 

These commands allow you to edit the settings of a specific forwarding hosf. 

Syntax 

#(config) forwarding 

This changes fhe prompf fo: 

#(config forwarding) create host_alias hostname protocol=port 
#(config forwarding) edit host_alias 
This changes fhe prompf fo: 

#(config forwarding host_alias) 

Subcommands 

#(config forwarding host_alias) exit 

Exits # (config forwarding host_alias) mode and returns to # (config forwarding) mode. 

#(config forwarding host_alias) ftp [port] 

Changes the FTP port to the default port or to a port that you specify. 

# (config forwarding host_alias) host host_name 
Changes the host name. 

# (config forwarding host_alias) host-affinity http {accelerator-cookie | 
client-ip-address | default | none} 

Changes the host affinity method (non-SSL) for this host. 

# (config forwarding host_alias) host-affinity other (client-ip-address | default 
I none } 

Changes the other host affinity method for this host. 

# (config forwarding host_alias) host-affinity ssl (accelerator-cookie | 
client-ip-address | default | ssl-session-id | none} 

Changes the host affinity method (SSL) for this host. 

# (config forwarding host_alias) http [port] 

Changes the HTTP port to the default port or to a port that you specify. 

# (config forwarding host_alias) https [port] 

Changes the HTTPS port to the default port or to a port that you specify. 

# (config forwarding host_alias) load-balance method (default | least-connections 
I round- robin | none} 

Changes the load balancing method. 

# (config forwarding host_alias) mms [port] 

Changes the MMS port to the default port or to a port that you specify. 

# (config forwarding host_alias) no (ftp | http | https | mms | rtsp | 
ssl-verify-server | tcp | telnet} 

Deletes a setting for this host. 

# (config forwarding host_alias) proxy 

Makes the host a proxy instead of a server; any HTTPS or TCP ports are deleted. 

# (config forwarding host_alias) rtsp [port] 

Changes the RTSP port to the default port or to a port that you specify. 
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#(config) forwarding 



#(config forwarding host_alias) 



#(config forwarding host_alias) server 
Makes the host a server instead of a proxy. 

#(config forwarding host_alias) ssl-verify-server 
Sets SSL to verify server certificates. 

#(config forwarding host_alias) tcp [port] 

Changes the TCP port to the default port or to a port that you specify. 

#(config forwarding host_alias) telnet [port] 

Changes the Telnet port to the default port or to a port that you specify. 

#(config forwarding host_alias) view 

Shows the current settings for this forwarding host. 



For More Information 

□ Volume 5: Advanced Networking 



Example 



SGOS# (conf ig) 
SGOS# (conf ig 
SGOS# (conf ig 
ok 

SGOS# (conf ig 
SGOS# (config 



forwarding 

forwarding) edit test_host 
forwarding test_host) server 

forwarding test_host) exit 
forwarding) exit 
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#(config) front-panel 



#(config) front-panel 



#(config) front-panel 



Synopsis 

Use this command to configure the front panel. For instance, the front-panel LCD behavior can be 
configured using fhe backlight command. 



Syntax 

#(config) front-panel 
This changes fhe prompf fo: 
#(config front-panel) 



Subcommands 

#(config front-panel) backlight flash 

The front-panel LCD is configured to flash, which can, for instance, help you locate a particular 
appliance in a room full of appliances. 

#(config front-panel) backlight state {off | on | timeout} 

The front-panel LCD is configured to be always turned on, always turned off, or to turn off after a 
specified length of time (use the backlight timeout command to configure the length of time). 

#(config front-panel) backlight timeout seconds 

Configures the length of time before the front-panel LCD turns off. You must also set the backlight 
state timeout command to configure timeout mode. 

#(config front-panel) exit 

Exits # (config front-panel) mode and returns to #(config) mode. 

#(config front-panel) hashed-pin hashed_PIN 
Specifies a front-panel PIN in hashed format. 

# (config front-panel) no backlight flash 
Stops the front-panel LCD from flashing. 

# (config front-panel) pin PIW 

Sets a four-digit PIN to restrict access to the front panel of the SG appliance. To clear the PIN, specify 
0000 instead of a real PIN. 

# (config front-panel) view 
Displays the front panel settings. 

For More Information 

□ Volume 4: Securing the Blue Coat SG Appliance 



Example 

SGOS# (config) front-panel 

SGOS# (config front-panel) backlight state timeout 
ok 

SGOS# (config front-panel) backlight timeout 60 
ok 

SGOS# (config front-panel) exit 
SGOS# (config) 
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#(config) ftp 



#(config) ftp 



#(config) ftp 

Synopsis 

Use this command to configure FTP parameters. 

Syntax 

#(config) ftp login-syntax {raptor | checkpoint} 

Toggles between Raptor and Checkpoint login syntax. The default is Raptor. 

#(config) ftp no welcome-banner 

No text is displayed to an FTP client when a connection occurs. 

#(config) ftp welcome-banner banner 

Customizes the text displayed to an FTP client when a connection occurs. 

For More Information 

□ Volume 2: Proxies and Proxy Services 

□ #(config caching ftp) on page 126 

Example 

SGOS #(config) ftp login-syntax checkpoint 

ok 
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#(config) general 



#(config) general 



#(config) general 

Synopsis 

Use these commands to set global defaults for user behavior when license limifs are exceeded and 
frusfing clienf -provided desfinafion IP addresses. 

Syntax 

SGOS# (config) general {trust-destination-ip | user-overflow-action} 



Subcommands 

SGOS# (general ) trust-destination- ip {enable | disable) 

Allows the SG appliance to trust a client-provided destination IP address and not do a DNS lookup. 

• Proxy Edition default: disable 

• MACHS Edition default: enable 

SGOS# (general ) user-overflow-action {bypass | none | queue) 

Set overflow behavior when there are more licensed-user connections going through the system than is 
allowed by the model license. The default is none. 

For More Information 

□ Volume 2: Proxies and Proxy Services 

Example 

SGOS# (general ) trust-destination- ip enable 

ok 
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#(config) health-check 



#(config) health-check 



#(config) health-check 

Synopsis 

Use this command to configure health check settings. 

Syntax 

#(config) health-check 

This changes the prompt to: 

#(config health-check) 



Subcommands 

(config health-check) copy source-alias target-alias 
Copy from one health check to another (creating if necessary). 

(config health-check) create {composite alias_name | http alias_name url \ https 
alias_name url \ icmp alias_name hostname \ ssl alias_name hostname [port] \ tcp 
alias_name hostname [port]] 

Create a user-defined health check of the type specified. 

(config health-check) default e-mail {healthy {enable | disable) | report-all-ips 
{enable | disable) | sick {enable | disable)) 

Configure defaults for e-mail options. 

(config health-check) default event- log {healthy {enable | disable) | report-all-ips 
{enable | disable) | sick {enable | disable)) 

Configure defaults for event-log options. 

(config health-check) default failure- trigger {none | count) 

Configure defaults for the failure-trigger options. 

(config health-check) default interval {healthy seconds | sick seconds] 

Configure defaults for interval options. 

((config health-check) default snmp {healthy {enable | disable) | report-all-ips 
{enable | disable) | sick {enable | disable)) 

Configure defaults for snmp options. 

(config health-check) default threshold {healthy count / response- time 

milliseconds / sick count) 

Configure defaults for threshold options. 

(config health-check) delete alias_name 
Delete the specified health check. 

(config health-check) disable {healthy alias_name | sick alias_name) 

Disable the specified health check and have it always report health or sick. 

(config health-check) edit compos ite_health_check 
Edit the specified composite health check. 

(config health-check user . composite_health_check) add member_name 
Add the specified member to the composite health check group. 

(config health-check user . composite_health_check) combine {all-healthy | 
any-healthy | some-healthy) 

Require that all, some, or any members of the group report as healthy to have the composite health 
check report as healthy. 
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#(config) health-check 



#(config) health-check 



(config health-check user . composi te_heal th_check) e-mail {healthy {default | 
enable | disable) | report-all-ips {healthy {default | enable | disable)] sick 
{default I enable j disable)) 

Send e-mail notification when a health check reports healthy or sick, whether or not those reports 
are for all IP addresses. 

(config health-check user . composi te_heal th_check) event -log {healthy {default j 
enable j disable)] report-all-ips {healthy {default ] enable ] disable)] sick 
{default ] enable ] disable)) 

Log an event when a health check reports healthy or sick, whether or not those reports are for all IP 
addresses. 

(config health-check user . composite_health_check) exit 
Leaves the composite health check editing submode. 

(config health- check user . compos ite_heal th_check) per form- health -check 
Does a health check on the members of the composite immediately and reports the result. 

(config health-check user . composi te_heal th_check) remove member_name 
Remove a member from the composite group. 

(config health-check user . composi te_heal th_check) snmp {healthy {default ] enable 
] disable)] report-all-ips {healthy {default ] enable ] disable)] sick {default ] 
enable ] disable)) 

Sends a trap when the health check reports healthy or sick, whether or not those reports are for all IP 
addresses. 

(config health-check user . composi te_heal th_check) use-defaults 

Re-sets the defaults of the health check to use the global defaults instead of any explicitly set values. 

(config health-check user . composi te_heal th_check) view {configuration ] 
statistics) 

Views the composite health check's configuration or statistics. 

(config health-check) edit drtr . test_name 

Allows you to configure options for the health check you specified. 

(config health-check drtr . test_name) dear-statistics 
Clears statistics for this health check. 

(config health-check drtr . test_name) e-mail {healthy {default ] enable ] disable)] 
report-all-ips {healthy {default ] enable ] disable)] sick {default ] enable ] 
disable)) 

Send e-mail notification when the health check reports healthy or sick, whether or not those reports 
are for all IP addresses. 

(config health-check drtr . test_name) event-log {healthy {default ] enable ] 

disable)] report-all-ips {healthy {default ] enable ] disable)] sick {default ] 
enable ] disable)) 

Log an event when the health check reports healthy or sick, whether or not those reports are for all 
IP addresses. 

(config health-check drtr . test_name) exit 
Leaves the health check editing mode. 

(config health-check drtr . test_name) failure-trigger {default ] none ] count] 
Configure options for the failure-trigger. 

(config health-check drtr . test_name) interval {healthy {default ] seconds)] sick 
{default ] seconds)) 

Configure intervals before the health check is re-run. The intervals can be different for health checks 
that are reporting healthy and health checks that are reporting sick. 

(config health-check drtr . test_name) perform-health-check 
Starts the health check immediately and reports the result. 
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#(config) health-check 



#(config) health-check 



(config health-check drtr . test_name) snmp {healthy {default | enable | disable) | 
report-all-ips {healthy {default | enable | disable) | sick {default | enable | 
disable)) 

Sends a trap when the health check reports healthy, whenever an IP address health check reports 
healthy, or when a health check reports sick. 

(config health-check drtr . test_name) threshold {healthy {default | count] \ 

response-time {default | none | milliseconds] \ sick {default | count]] 

Set the level when health checks will report healthy or sick. 

(config health-check drtr . test_name) use-defaults 

Re-sets the defaults of fhe health check to use the global defaults instead of any explicitly set values. 

(config health-check drtr . test_name) view {configuration | statistics) 

Views the health check's configuration or statistics. 

(config health-check) edit fwd . group_name 

Allows you to configure options for the health check you specified. 

(config health-check fwd . group_name) combine (all healthy | any-healthy | 
some -healthy} 

Combines the results when a group test is healthy. 

(config health-check fwd . group_name) e-mail {healthy {default | enable | disable)] 
report-all-ips {healthy {default | enable | disable)] sick {default ] enable ] 
disable)) 

Send e-mail notification when the health check reports healthy or sick, whether or not those reports 
are for all IP addresses. 

(config health-check fwd . group_name) event -log {healthy {default ] enable ] 

disable)] report-all-ips {healthy {default ] enable ] disable)] sick {default ] 
enable ] disable)) 

Log an event when the health check reports healthy or sick, whether or not those reports are for all 
IP addresses. 

(config health-check fwd . group_name) exit 
Leaves the health check editing mode. 

(config health-check fwd . group_name) perform-health-check 
Starts the health check immediately and reports the result. 

(config health-check fwd . group_name) snmp {healthy {default ] enable ] disable)] 
report-all-ips {healthy {default ] enable ] disable)] sick {default ] enable ] 
disable)) 

Sends a trap when the health check reports healthy, whenever an IP address health check reports 
healthy, or when a health check reports sick. 

(config health-check fwd . group_name) use-defaults 

Re-sets the defaults of fhe health check to use the global defaults instead of any explicitly set values. 

(config health-check fwd . group_name) view {configuration ] statistics) 

Views the health check's configuration or statistics. 

(config health-check) edit fwd . host_name 

Allows you to configure options for the health check you specified. 

(config health-check fwd . host_name) authentication {basic ] disable ] 

encrypted-password encrypted-password ] password password ] username username) 
(Used with HTTP or HTTPS health checks.) To test Basic authentication, you can enter the username 
and password of fhe target. 

(config health-check fwd . host_name) clear- statistics 
Clears statistics for this health check. 

(config health-check fwd . host_name) e-mail {healthy {default ] enable ] disable)] 
report-all-ips {healthy {default ] enable ] disable)] sick {default ] enable ] 
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disablejl 

Send e-mail notification when the health check reports healthy or sick, whether or not those reports 
are for all IP addresses. 

(config health-check fwd . host_name) event- log {healthy {default | enable | 

disablejl report-all-ips {healthy {default | enable | disable) | sick {default | 
enable | disable)} 

Log an event when the health check reports healthy or sick, whether or not those reports are for all 
IP addresses. 

(config health-check fwd . host_name) exit 
Leaves the health check editing mode. 

(config health-check fwd . host_name) failure- trigger {default | none | count] 
Configure options for the failure-trigger. 

(config health-check fwd . host_name) interval {healthy {default | seconds) | sick 
{default I seconds)) 

Configure intervals before the health check is re-run. The intervals can be different for health checks 
that are reporting healthy and health checks that are reporting sick. 

(config health-check fwd . host_name) perform-health-check 
Starts the health check immediately and reports the result. 

(config health-check fwd . host_name) proxy-authentication {basic | disable | 
encrypted-password encrypted-password | password password | username 
username] 

(Used with HTTP or HTTPS health checks, when intermediate proxies are between you and the 
target.) Enter the username and password of the intermediate proxy. 

(config health-check fwd . host_name) response-code {add codes | remove codes) 

To manage a list of codes that are considered successes, you can add or remove codes, separated by 
semi-colons. If a success code is received by the health check, the health check considers the HTTP/ 
HTTPS test to be successful. 

(config health-check fwd . host_name) snmp {healthy {default | enable | disable) | 
report-all-ips {healthy {default | enable | disable) | sick {default | enable | 
disable)) 

Sends a trap when the health check reports healthy, whenever an IP address health check reports 
healthy, or when a health check reports sick. 

(config health-check fwd . host_name) threshold {healthy {default | count] \ 

response-time {default | none | milliseconds] \ sick {default | count)) 

Set the level when health checks will report healthy or sick. 

(config health-check fwd . host_name) type (http tiRL | https t/RL | icmp hostname | ssl 
hostname [port] \ tcp hostname [port]] 

Set the number of consecutive healthy or sick test results before the health check actually reports as 
healthy or sick. 

(config health-check fwd . host_name) use-defaults 

Re-sets the defaults of the health check to use the global defaults instead of any explicitly set values. 

(config health-check fwd . host_name) view {configuration | statistics) 

Views the health check's configuration or statistics. 

(config health-check) edit health_check_name 

Allows you to configure options for the health check you specified. 

(config health-check user . heal th_check_name) authentication {basic | disable | 
encrypted-password encrypted-password I password password | username username] 
(Used with HTTP or HTTPS health checks.) To test Basic authentication, you can enter the username 
and password of the target. 
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(config health-check user . heal th_check_name) clear- statistics 
Clears statistics for this health check. 

(config health-check user . heal th_check_name) e-mail {healthy {default | enable | 
disable) I report-all-ips {healthy {default | enable | disable) | sick {default | 
enable | disable)) 

Send e-mail notification when the health check reports healthy or sick, whether or not those reports 
are for all IP addresses. 

(config health-check user . heal th_check_name) event- log {healthy {default | 
enable | disable) | report-all-ips {healthy {default | enable | disable) | sick 
{default I enable | disable)) 

Log an event when the health check reports healthy or sick, whether or not those reports are for all 
IP addresses. 

(config health-check user . heal th_check_name) exit 
Leaves the health check editing mode. 

(config health-check user . heal th_check_name) failure- trigger {default | none | 
count] 

Configure options for the failure-trigger. 

(config health-check user . heal th_check_name) interval {healthy {default | 
seconds] \ sick {default | seconds)) 

Configure intervals before the health check is re-run. The intervals can be different for health checks 
that are reporting healthy and health checks that are reporting sick. 

(config health- check user . heal th_check_name) per form- health -check 
Starts the health check immediately and reports the result. 

(config health-check user . heal th_check_name) proxy- authentication {basic | 
disable | encrypted-password encrypted-pass^i^ord | password password | 
username username] 

(Used with HTTP or HTTPS health checks, when intermediate proxies are between you and the 
target.) Enter the username and password of the intermediate proxy. 

(config health-check user . heal th_check_name) response-code {add codes | remove 
codes) 

To manage a list of codes that are considered successes, you can add or remove codes, separated by 
semi-colons. If a success code is received by the health check, the health check considers the HTTP/ 
HTTPS test to be successful. 

(config health-check user . heal th_check_name) snmp {healthy {default | enable | 
disable) I report-all-ips {healthy {default | enable | disable)] sick {default | 
enable | disable)) 

Sends a trap when the health check reports healthy, whenever an IP address health check reports 
healthy, or when a health check reports sick. 

(config health-check user . heal th_check_nan!e) threshold {healthy {default | count] 

I response-time {default | none | milliseconds] \ sick {default | count)) 

Set the level when health checks will report healthy or sick. 

(config health-check user . heal th_check_name) type (http URL | https URL | icmp 
hostname \ ssl hostname [port] \ tcp hostname [port]] 

Set the number of consecutive healthy or sick test results before the health check actually reports as 
healthy or sick. 

(config health-check user . heal th_check_name) use-defaults 

Re-sets the defaults of the health check to use the global defaults instead of any explicitly set values. 

(config health-check user . heal th_check_nan!e) view {configuration | statistics) 
Views the health check's configuration or statistics. 

(config health-check) edit icap . test_name 

Allows you to configure options for the health check you specified. 
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(config health-check leap . test_name) dear-statistics 
Clears statistics for this health check. 

(config health-check leap . test_name) e-mail {healthy {default | enable | disable) | 
report-all-ips {healthy {default | enable | disable) { sick {default | enable | 
disable)) 

Send e-mail notification when the health check reports healthy or sick, whether or not those reports 
are for all IP addresses. 

(config health-check icap . test_name) event-log {healthy {default | enable | 

disable) I report-all-ips {healthy {default | enable | disable)] sick {default | 
enable | disable)) 

Log an event when the health check reports healthy or sick, whether or not those reports are for all 
IP addresses. 

(config health-check icap . test_name) exit 
Leaves the health check editing mode. 

(config health-check icap . test_name) failure-trigger {default | none | count] 
Configure options for the failure-trigger. 

(config health-check icap . test_name) interval {healthy {default | seconds]] sick 
{default I seconds)) 

Configure intervals before the health check is re-run. The intervals can be different for health checks 
that are reporting healthy and health checks that are reporting sick. 

(config health-check icap . test_name) perform-health-check 
Starts the health check immediately and reports the result. 

(config health-check icap . test_name) snmp {healthy {default | enable | disable)] 
report-all-ips {healthy {default ] enable ] disable)] sick {default ] enable ] 
disable)) 

Sends a trap when the health check reports healthy, whenever an IP address health check reports 
healthy, or when a health check reports sick. 

(config health-check icap . test_name) threshold {healthy {default ] count) ] 
response-time {default ] none ] milliseconds] \ sick {default ] count)) 

Set the level when health checks will report healthy or sick. 

(config health-check icap . test_name) use-defaults 

Re-sets the defaults of the health check to use the global defaults instead of any explicitly set values. 

(config health-check icap . test_name) view {configuration ] statistics) 

Views the health check's configuration or statistics. 

(config health-check) edit socks . test_name 

Allows you to configure options for the health check you specified. 

(config health-check socks . test_name) clear- statistics 
Clears statistics for this health check. 

(config health-check socks . test_name) e-mail {healthy {default ] enable ] disable)] 
report-all-ips {healthy {default ] enable ] disable)] sick {default ] enable ] 
disable)) 

Send e-mail notification when the health check reports healthy or sick, whether or not those reports 
are for all IP addresses. 

(config health-check socks . test_name) event- log {healthy {default ] enable ] 
disable)] report-all-ips {healthy {default ] enable ] disable)] sick {default ] 
enable ] disable)) 

Log an event when the health check reports healthy or sick, whether or not those reports are for all 
IP addresses. 

(config health-check socks . test_name) exit 
Leaves the health check editing mode. 
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(config health-check socks . test_name) failure- trigger {default | none | count] 
Configure options for the failure-trigger. 

(config health-check socks . test_nafne) interval {healthy {default | secondsl | sick 
{default I secondsl) 

Configure intervals before the health check is re-run. The intervals can be different for health checks 
that are reporting healthy and health checks that are reporting sick. 

(config health-check socks . test_name) perform-health-check 
Starts the health check immediately and reports the result. 

(config health-check socks . test_name) snmp {healthy {default | enable | disable}] 
report-all-ips {healthy {default j enable j disable)] sick {default ] enable ] 
disable}) 

Sends a trap when the health check reports healthy, whenever an IP address health check reports 
healthy, or when a health check reports sick. 

(config health-check socks . test_name) threshold {healthy {default ] count) ] 
response- time {default ] none ] milliseconds] \ sick {default ] count)) 

Set the level when health checks will report healthy or sick. 

(config health-check socks . test_nafne) type (http URL ] https URL ] icmp hostname ] 
ssl hostname [port] ] tcp hostname [port]] 

Set the number of consecutive healthy or sick test results before the health check actually reports as 
healthy or sick. 

(config health-check socks . test_name) use-defaults 

Re-sets the defaults of the health check to use the global defaults instead of any explicitly set values. 

(config health-check socks . test_name) view {configuration ] statistics) 

Views the health check's configuration or statistics. 

(config health-check) edit ws . test_name 

Allows you to configure options for the health check you specified. 

(config health-check ws . test_name) dear-statistics 
Clears statistics for this health check. 

(config health-check ws . test_name) e-mail {healthy {default ] enable ] disable)] 
report-all-ips {healthy {default ] enable ] disable)] sick {default ] enable ] 
disable}} 

Send e-mail notification when the health check reports healthy or sick, whether or not those reports 
are for all IP addresses. 

(config health-check ws . test_name) event -log {healthy {default ] enable ] 

disable)] report-all-ips {healthy {default ] enable ] disable)] sick {default ] 
enable ] disable}) 

Log an event when the health check reports healthy or sick, whether or not those reports are for all 
IP addresses. 

(config health-check ws . test_name) exit 
Leaves the health check editing mode. 

(config health-check ws . test_name) failure-trigger {default ] none ] count] 
Configure options for the failure-trigger. 

(config health-check ws . test_name) interval {healthy {default ] seconds)] sick 
{default ] seconds)) 

Configure intervals before the health check is re-run. The intervals can be different for health checks 
that are reporting healthy and health checks that are reporting sick. 

(config health-check ws . test_name) perform-health-check 
Starts the health check immediately and reports the result. 
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(config health-check ws . test_name) snmp {healthy {default | enable | disable) | 
report-all-ips {healthy {default | enable | disable) | sick {default | enable | 
disable)) 

Sends a trap when the health check reports healthy, whenever an IP address health check reports 
healthy, or when a health check reports sick. 

(config health-check ws . test_name) test-url {default | uri) 

Sets the test URL to default. 

(config health-check ws . test_name) threshold {healthy {default | count] \ 

response-time {default | none | milliseconds] \ sick {default | count]] 

Set the level when health checks will report healthy or sick. 

(config health-check ws . test_name) use-defaults 

Re-sets the defaults of the health check to use the global defaults instead of any explicitly set values. 

(config health-check ws . test_name) view {configuration | statistics) 

Views the health check's configuration or statistics. 

(config health-check) edit ws . group_name 

Allows you to configure options for the health check you specified. 

(config health-check ws . group_name) combine (all healthy | any-healthy | 
some -healthy} 

Combines the results when a group test is healthy. 

(config health-check ws . group_name) e-mail {healthy {default | enable | disable)] 
report-all-ips {healthy {default | enable j disable)] sick {default ] enable ] 
disable)) 

Send e-mail notification when the health check reports healthy or sick, whether or not those reports 
are for all IP addresses. 

(config health-check ws . group_name) event- log {healthy {default ] enable ] 

disable)] report-all-ips {healthy {default ] enable ] disable)] sick {default ] 
enable ] disable)) 

Log an event when the health check reports healthy or sick, whether or not those reports are for all 
IP addresses. 

(config health-check ws . group_name) exit 
Leaves the health check editing mode. 

(config health-check ws . group_name) perform- health- check 
Starts the health check immediately and reports the result. 

(config health-check ws . group_name) snmp {healthy {default ] enable ] disable)] 
report-all-ips {healthy {default ] enable ] disable)] sick {default ] enable ] 
disable)) 

Sends a trap when the health check reports healthy, whenever an IP address health check reports 
healthy, or when a health check reports sick. 

(config health-check ws . group_name) use-defaults 

Re-sets the defaults of the health check to use the global defaults instead of any explicitly set values. 

(config health-check ws . group_name) view {configuration ] statistics) 

Views the health check's configuration or statistics. 

(config health-check) enable alias_name 
Enable the health check of the specified name. 

(config health-check) exit 

Leave the health-check configuration mode. 

(config health-check) perform-health-check alias_name 
Runs the specified health check. 
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#(config) health-check 



(config health-check) view {configuration | quick- statistics | statistics) 
Views the configuration or statistics for all health checks. You can also view a summary of the 
health-check statistics. 

For More Information 

□ Volume 5: Advanced Networking 

Example 

SGOS# (config) health-check 

SGOS# (config health-check) create composite compositel 
SGOS# (config health-check) edit compositel 

SGOS# (config health-check user . compositel ) view statistics 
Enabled Health check failed DOWN 
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#(config) hide-advanced 



See 



□ # hide-advanced on page 52. 
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#(config) hostname 

Synopsis 

Use this command to assign a name to an SG appliance. Any descriptive name that helps identify the 
system is sufficient. 

Syntax 

#(config) hostname name 

Associates name with the current SG appliance. 



For More Information 

□ Volume 5: Advanced Networking 

Example 

SGOS# (config) hostname "Blue Coat Demo" 
ok 
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#(config) http 

Synopsis 

Use this command to configure HTTP settings. 

Syntax 

#(config) http [no] add-header client- ip 

Adds the cl lent -ip header to forwarded requests. 

#(config) http [no] add-header front-end-https 

Adds the front-end-https header to forwarded requests. 

#(config) http [no] add-header via 
Adds the via header to forwarded requests. 

#(config) http [no] add-header x- forwarded- for 

Adds the x- forwarded- for header to forwarded requests. 

#(config) http [no] byte-ranges 
Enables HTTP byte-range support. 

If byte-range support is disabled, then HTTP treats all byte range requests as non-cacheable. This means 
that HTTP never even checks to see if the object is in the cache, but forwards the request to the 
origin-server and does not cache the result. So the range request has no affect on the cache. For instance, 
if the object was in the cache before a range request, it would still be in the cache afterward — the range 
request does not delete any currently cached objects. Also, the Range header is not modified when 
forwarded to the origin-server. 

If the requested byte range is type 3 or 4, then the request is treated as if byte-range support is disabled. 
That is, the request is treated as non-cacheable and has no affect on objects in the cache. 

#(config) http [no] cache authenticated-data 
Caches any data that appears to be authenticated. 

#(config) http [no] cache expired 

Retains cached objects older than the explicit expiration. 

#(config) http [no] cache personal-pages 
Caches objects that appear to be personal pages. 

#(config) http [no] force-ntlm 

Uses NTLM for Microsoft Internet Explorer proxy. 

#(config) http f tp-proxy-url root-dir 

URL path is absolute in relation to the root. 

#(config) http f tp-proxy-url user-dir 

URL path is relative to the user's home directory. 

#(config) http [no] parse meta-tag {cache-control | expires | pragma-no-cache} 

Parses HTML objects for the cache-control, expires , and pragma-no-cache meta-tags. 

#(config) http [no] persistent client 

Enables support for persistent client requests from the browser. 

#(config) http [no] persistent server 

Enables support for persistent server requests to the Web server. 

#(config) http [no] persistent- timeout client num_seconds 

Sets persistent connection timeout for the client to num_seconds. 

#(config) http [no] persistent- timeout server num_seconds 

Sets persistent connection timeout for the server to num_seconds. 
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#(config) http [no] pipeline client {requests | redirects} 

Prefetches either embedded objects in client requests or redirected responses to client requests. 

#(config) http [no] pipeline prefetch (requests | redirects) 

Prefetches either embedded objects in pipelined objects or redirected responses to pipelined requests. 

#(config) http [no] proprietary-headers bluecoat 
Enables the Blue Coat proprietary HTTP header extensions. 

#(config) http receive- timeout client num_seconds 
Sets receive timeout for client to num_seconds. 

#(config) http receive- timeout refresh num_seconds 
Sets receive timeout for refresh to num_seconds. 

#(config) http receive- timeout server num_seconds 
Sets receive timeout for server to num_seconds. 

#(config) http [no] revalidate-pragma-no-cache 

Revalidates "Pragma: no-cache." 

#(config) http [no] strict-expiration refresh 

Forces compliance with explicit expirations by never refreshing objects before their explicit expiration. 

#(config) http [no] strict-expiration serve 

Forces compliance with explicit expirations by never serving objects after their explicit expiration. 

#(config) http [no] strip- from-header 

Removes HTTP information from headers. 

#(config) http [no] substitute conditional 
Uses an HTTP "get" in place of HTTP 1.1 conditional get. 

#(config) http [no] substitute ie-reload 

Uses an HTTP "get" for Microsoft Internet Explorer reload requests. 

#(config) http [no] substitute if -modif ied-since 

Uses an HTTP "get" instead of "get-if-modified." 

#(config) http [no] substitute pragma-no-cache 

Uses an HTTP "get" instead of "get pragma: no-cache." 

#(config) http [no] tolerant-request-parsing 
Enables or disables the HTTP tolerant-request-parsing flag. 

#(config) http upload-with-pasv disable 

Disables uploading with Passive FTP. 

#(config) http upload-with-pasv enable 

Enables uploading with Passive FTP. 

#(config) http version (1.0 | 1.1} 

Indicates the version of HTTP that should be used by the SG appliance. 

#(config) http [no] www-redirect 

Redirects to www . hos t . com if host not found. 

#(config) http [no] xp-rewrite-redirect 

Rewrites origin server 302s to 307s for Windows XP IE requests. 

For More Information 

□ #(config http) on page 238 

□ #(config http-console) on page 131 

□ Volume 2: Proxies and Proxy Services 



Chapter 3: Privileged Mode Configure Commands 



207 



#(config) icp 



#(config) icp 



#(config) icp 

Synopsis 

ICP is a caching communication protocol. It allows a cache to query other caches for an object, without 
actually requesting the object. By using ICP, the SG appliance determines if fhe objecf is available from 
a neighboring cache, and which device provides fhe fasfesf response. 

Affer you have creafed fhe ICP or advanced forwarding configurafion file, place fhe file on an FTP or 
HTTP server so if can be downloaded fo fhe SG appliance. 

Syntax 

#(config) icp no path 

Negates the path previously set using the command icp path uri . 

#(config) icp path urI 

Specifies the network location of the ICP configuration file to download. 



For More Information 

□ Volume 5: Advanced Networking 

Example 

SGOS# (config) icp path 10 . 25 . 3 6 . 47/f iles/icpconf ig . txt 

ok 
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#(config) identd 

Synopsis 

IDENTD implements the TCP /IP IDENT user identification protocol. IDENTD operates by looking up 
specific TCP/IP cormecfions and refuming fhe user name of fhe process owning fhe connecfion. 

Syntax 

#(config) identd 
This changes fhe prompf fo: 

#(config identd) 

Subcommands 

#(config identd) client server-query-port port 

Specifies the port to query on the client machines. The default is 113. 

#(config identd) client timeout seconds 

Specifies the timeout in seconds for identd. queries. The default is 30 seconds. 

#(config identd) trim-whitespace (enable | disable) 

Specify whether to trim leading and trailing whitespace in the username portion of the identd query 
response. By default this is disabled. 

If client identd servers are adding insignificant whitespace to the username field you might need to 
enable this option to trim the username as expected. 

#(config identd) exit 

Exits configure identd mode and returns to configure mode. 

#(config identd) server enable | disable 

#(config identd) view 

Displays current IDENTD settings. 

For More Information 

□ Volume 5: Advanced Networking 

Example 

SGOS# (config) identd 
SGOS# (config identd) enable 
ok 

SGOS# (config identd) exit 
SGOS# (config) 
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#(config) im 

Synopsis 

You can configure the IM proxy settings, assign an administrator buddy name for each client t5rpe, and 
determine how exception messages are sent. 

Syntax 

#(config) im aol - admin-buddy jbuddy 
Set AOL admin buddy name. 

#(config) im aol-direct-proxy-host host 
Set AOL direct proxy host. 

#(config) im aol-http-host host 
Set AOL HTTP host. 

#(config) im aol-native-host host 
Set AOL native host 

#(config) im buddy- spoof -message message_text 
Set buddy spoof message. 

#(config) im exceptions {in-band | out-of-band} 

in-band: Deliver IM exceptions in band, 
out-of-band: Deliver IM exceptions out of band. 

#(config) im explicit-proxy-vip virtuaI_IP_address 
Set explicit proxy virtual IP address. 

#(config) im msn- admin -buddy buddy 
Set MSN admin buddy name. 

#(config) im msn-http-host host 
Set MSN HTTP host. 

#(config) im msn-native-host host 
Set MSN native host. 

#(config) no explicit-proxy-vip 
Disables explicit proxy VIP support. 

#(config) im yahoo -admin -buddy buddy 
Set Yahoo admin buddy name. 

#(config) im yahoo-dovmload-host host 
Set Yahoo download host. 

#(config) im yahoo-http-host host 
Set Yahoo HTTP host. 

#(config) im yahoo-http-chat-host host 
Set Yahoo HTTP chat host. 

#(config) im yahoo-native-host host 
Set Yahoo native host. 

#(config) im yahoo-upload-host host 
Set Yahoo upload host. 



For More Information 

□ Volume 3: Web Communication Proxies 
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Example 

SGOS# (config) im exceptions in-band 

ok 

SGOS# (config) im yahoo -admin -buddy testname 

ok 
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#(config) inline 



#(config) inline 
See 

□ # inline on page 53. 
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#(config) installed-systems 



#(config) installed-systems 

Synopsis 

Use this command to manage the list of installed SG systems. 

Syntax 

#(config) installed-systems 
This changes the prompt to: 

#(config installed-systems) 



Subcommands 

#(config installed-systems) default system_number 

Sets the default system to the system indicated by system_numher. 

#(config installed-systems) delete system_number 
Deletes the system indicated by system_number. 

#(config installed-systems) exit 

Exits configure installed-systems mode and returns to configure mode. 

#(config installed-systems) lock system_number 
Locks the system indicated by system_number. 

#(config installed-systems) no {lock system_number \ replace} 

lock sys t em_number : Unlocks the system indicated by sys tem_number if it is currently locked, 
replace: Specifies that the system currently tagged for replacement should not be replaced. The default 
replacement is used (oldest unlocked system). 

#(config installed-systems) replace system_number 

Specifies that the system identified by system_number is to be replaced next. 

#(config installed-systems) view 
Shows installed SG systems. 



For More Information 

□ Volume 10: Managing the Blue Coat SG Appliance 



Example 



SGOS# (config) installed-systems 
SGOS# (config installed-systems) default 2 
ok 

SGOS# (config installed-systems) lock 1 
ok 



SGOS# (config installed-systems) exit 
SGOS# (config) 
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#(config) interface 



#(config) interface 



#(config) interface 

Synopsis 

This command enables you to configure the network interfaces (both physical and Virtual LAN). 

The built-in Ethernet adapter is configured for the first time using the setup console. If you want to 
modify the built-in adapter configuration, or if you have multiple adapters, you can configure each 
one using the command-line interface. 

Syntax 

#(config) interface fast-ethernet inter face_numher 

where interface_number sets the number of the fast Ethernet connection to interface_number. 
Valid values for interface_number are 0 through 3, inclusive. 

#(config) interface interface_numher 

This changes the prompt to #(config interface interface_number) 
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#(config) interface 



#(config interface interface_number) 



#(config interface interface_number) 

Syntax 

#(config) interface interface_numher 
This changes the prompt to #(config interface interface_number) 

Subcommands 

#(config interface interface_number) allow-intercept {enable | disable} 

Allow transparent interception on this interface.* 

#(config interface interface_number) exit 

Exits # (config interface number) mode and returns to # (config) mode. 

#(config interface interface_number) full-duplex 
Configures the interface for full-duplex. 

# (config interface interface_number) half-duplex 
Configures the interface for half-duplex. 

# (config interface interface_number) ip-address ip-address 
Sets the IP address for this interface to ip_address 

# (config interface interface_number) instructions { accelerated-pac | central-pac 
url I default-pac | proxy) 

accelerated-pac: Configures browser to use your accelerated pac file, 
central-pac: Configures browser to use your pac file, 
default-pac: Configures browser to use a Blue Coat pac file, 
proxy: Configures browser to use a proxy. 

# (config interface interface_number) link-autosense (enable | disable) 

Specifies that the interface should autosense speed and duplex. 

# (config interface inter face_number) mtu-size size 
Specifies the MTU size. 

# (config interface inter face_number) no { accept- inbound | link-autosense) 

Negates the current accept-inboimd or link-autosense settings. 

# (config interface interface_number) reject-inbound (enable | disable) 

Rejects inbound connections on the interface.* 

# (config interface inter face_number) speed (lO | 100 | Igb) 

Specifies the interface speed. 

# (config interface interface_number) subnet-mask subnet-mask 
Sets the subnet mask for the interface. 

# (config interface interface_number) native-vlan number 
Sets the native VLAN value for this interface. 

# (config interface interface_number) vlan-trunk (enable | disable) 

Enables VLAN trunking on this interface. 

# (config interface inter face_number) clear-all-vlans 
Resets all VLAN parameters to their default values. 

# (config interface interface_number) view 
Displays the interface settings. 

*The allow- intercept and re j ect - inbound commands are interface-level configurations and 
are not bridge-specific. The re j ect - inbound command always has precedence. 

The following table describes how traffic is handled for the three possible settings of these options. 
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#(config) interface 



#(config interface interface_number) 



reject- 

inbound 


allow-intercept 


Non-proxy ports 
(mgmt-console, 
ssh, etc) 


Explicit 
proxy ports 


Transparent 
proxy ports 


Other ports 


Disabled 


Enabled 


Terminated 


Terminated 


Terminated 


Forwarded 


Disabled 


Disabled 


Terminated 


Terminated 


Eorwarded 


Forwarded 


Enabled 


Enabled/Disabled 


Silently dropped 


Silently 

dropped 


Silently 

dropped 


Silently 

dropped 



For More Information 

□ Volume 1: Getting started 



Example 



#(config) interface 0 

#(config interface 0) ip-address 10.252.10.54 

ok 

#(config interface 0) instructions accelerated-pac 

ok 

#(config interface 0) subnet-mask 255.255.255.0 
ok 

#(config interface 0) exit 
SGOS# (config) interface 1 

#(config interface 1) ip-address 10.252.10.72 

ok 

#(config interface 1) subnet-mask 255.255.255.0 
ok 

# (config interface 1) exit 



Volume 11: Command Line Interface Reference 



216 



#(config) ip-default-gateway 



#(config) ip-default-gateway 



#(config) ip-default-gateway 

Synopsis 

A key feature of the SG appliance is the ability to distribute traffic originating at the cache through 
multiple IP gateways. Further, you can fine tune how the traffic is distributed among gateways. This 
feature works with any routing protocol (for example, static routes or RIP). 



Note: Load balancing through multiple IP gateways is independent from the per-interface load 

balancing that the SG appliance automatically does when more than one network interface is installed. 



Syntax 

#(config) ip-default-gateway ip_address [preference group (1-10)] [weight 
(1-100) ] 

Specifies the IP address of the default gateway to be used by the SG appliance. 

For More Information 

□ Volume 5: Advanced Networking 

Example 

SGOS# (config) ip-default-gateway 10.25.36.47 

ok 
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#(config) license-key 



#(config) license-key 



#(config) license-key 

Synopsis 

Use this command to configure license key settings. 

Syntax 

#(config) license-key auto-update {disable | enable} 

Disables or enables auto-update of the Blue Coat license key. 

#(config) license-key no path 
Negates certain license key settings. 

#(config) license-key path uri 

Specifies the network path to download the license key. 



For More Information 

□ Volume 1: Getting started 

Example 

SGOS# (config) license-key no path 

ok 
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#(config) line-vty 



#(config) line-vty 



#(config) line-vty 



Synopsis 

When you have a CLI session, that session remains open as long as there is activity. If you leave the 
session idle, the connection eventually times out and you must recormect. The default timeout is five 
minufes. You can sef fhe fimeouf and ofher session-specific options using the line-vty command. 



Syntax 

#(config) line-vty 
This changes the prompt to: 
#(config line-vty) 



Subcommands 

#(config line-vty) exit 

Exits configure line-vty mode and returns to configure mode. 

#(config line-vty) length num_lines_on_screen 

Specifies the number of lines of code that should appear on the screen at one time. Specify 0 to scroll 
without pausing. 

#(config line-vty) no length 
Disables screen paging. 

#(config line-vty) telnet {no transparent | transparent} 

Indicates that this is a Telnet protocol-specific configuration. If you specify no transparent, carriage 
returns are sent to the console as a carriage return plus linefeed. If you specify transparent, carriage 
returns are sent to the console as a carriage return. 

#(config line-vty) timeout minutes 

Sets the line timeout to the number of minutes indicated by minutes. 

#(config line-vty) view 

Displays running system information. 

Example 

SGOS# (config) line-vty 
SGOS# (config line-vty) timeout 60 
ok 

SGOS# (config line-vty) exit 
SGOS# (config) 
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#(config) load 



#(config) load 



#(config) load 

See 

□ # load on page 57. 
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#(config) mapi 



#(config) mapi 



#(config) mapi 

Synopsis 

Configures MAPI 

Syntax 

SGOS# (conf ig) mapi 

This changes the prompt to: 

SGOS#(config mapi) [subcommands] 

Subcommands 

SGOS# (conf ig mapi) batching {enable | disable} 

Enables or disables batching. The default is enabled. 

SGOS# (conf ig mapi) exit 

Exits the mapi mode and returns to SGOS#(config) mode. 

SGOS# (conf ig mapi) handoff (enable | disable} 

Use the endpoint-mapper service. The default is enabled. 

SGOS# (conf ig mapi) keep-alive duration 1-168 

Sets the length of time, in hours, that the session is active. The default is 72 hours. 

SGOS# (conf ig mapi) keep-alive {enable | disable} 

Enables the keep-alive configuration. The default is disabled. 

SGOS# (conf ig mapi) keep-alive interval 15-60 

Sets the length of time, in minutes, before the service checks for new e-mail. The default is 30 minutes. 

SGOS# (conf ig map) keep-alive max- sessions I -200 

Sets the maximum number of active sessions at any given point. The default is 100 sessions. If the limit is 
reached, the oldest session is dropped. 



SGOS#(config mapi) view 

Views the MAPI configuration. 



For More Information 

□ "#(config endpoint-mapper)" on page 236 



Example 



SGOS# (conf ig mapi) view 
Batching : 

Keep-Alive ; 

Keep-Alive Duration (hours) : 
Keep-Alive Interval (minutes) : 
Keep-Alive Maximum Sessions; 
Endpoint Mapper Handoff : 



enabled 

disabled 



72 

30 

100 



enabled 
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#(config) netbios 



#(config) netbios 



#(config) netbios 

Synopsis 

Use this command to configure NetBIOS. 

Syntax 

#(config) netbios 
This changes the prompt to: 

#(config netbios) 

#(config netbios) exit 

Exits configure netbios mode and returns to configure mode. 

#(config netbios) nbstat requester {retries | timeout} | responder (enable | 
disable } 

Requester is enabled by default, with three retries and a five-second timeout. Responder is disabled by 
default. 

#(config netbios) view 
Shows the NetBIOS settings. 



For More Information 

□ Volume 5: Advanced Networking 

Example 

SGOS# (config) netbios 

SGOS# (config netbios) nbstat responder enable 
ok 

SGOS# (config netbios) exit 
SGOS# (config) 
ok 
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#(config) no 



#(config) no 



#(config) no 

Synopsis 

Use this command to negate the current settings for the archive configuration, content priority, IP 
default gateway, SOCKS machine, or system upgrade path. 

Syntax 

#(config) no archive-configuration 
Clears the archive configuration upload site. 

#(config) no bridge bridge_name 
Clears the bridge configuration. 

#(config) no content {priority (regex regex | url url] \ outstanding-requests 
(delete | priority | revalidate} regex] 

priority (regex regex | url url j ; Removes a deletion regular expression policy or a deletion URL 
policy. 

outstanding-requests { delete | priority \ revalidate] regex: Deletes a specific, 
regular expression command in-progress (revalidation, priority, or deletion). 

#(config) no ip-default-gateway ip_address 
Sets the default gateway IP address to zero. 

#(config) no serial -munber 
Removes the serial number. 

#(config) no socks -machine -id 

Removes the SOCKS machine ID from the configuration. 

#(config) no upgrade-path 

Clears the upgrade image download path. 



For More information 

□ Volume 1: Getting started 

□ Volume 5: Advanced Networking 



Exampie 



SGOS# (conf ig) 
ok 

SGOS# (conf ig) 
ok 

SGOS# (config) 
ok 

SGOS# (config) 
ok 

SGOS# (config) 
ok 

SGOS# (config) 
ok 



no archive-configuration 

no content priority regex http ://. *cnn . com 
no content priority url http://www.bluecoat.com 
no ip-default-gateway 10.252.10.50 
no socks-machine-id 
no upgrade -path 
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#(config) ntp 



#(config) ntp 



#(config) ntp 

Synopsis 

Use this command to set NTP parameters. Network Time Protocol (NTP) is a protocol that is used to 
synchronize computer clock times in a network of computers. The SG appliance sets the UTC time by 
cormecting to an NTP server. The SG appliance includes a list of NTP servers available on the Internet. 
If an NTP server is nof available, you can sef fhe fime manually using the Management Console. 

Syntax 

#(config) ntp clear 

Removes all entries from the NTP server list. 

#(config) ntp disable 
Disables NTP. 

#(config) ntp enable 
Enables NTP. 

#(config) ntp interval minutes 

Specifies how often to perform NTP server queries. 

#(config) ntp no server domain_name 

Removes the NTP server named domain_name from the NTP server list. 

#(config) ntp server domain_name 

Adds the NTP server named domain_name from the NTP server list. 

For More Information 

□ Volume 1: Getting started 

Example 

SGOS# (config) ntp server clock.tricity.wsu.edu 

ok 
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#(config) policy 



#(config) policy 



#(config) policy 

Synopsis 

Use this command to specify central and local policy file locafion, sfafus, and ofher options. 

Syntax 

#(config) policy central-path uri 

Specifies the network path (indicated by url) from which the central policy file can be downloaded. 
#(config) policy forward-path url 

Specifies the network path (indicated by url) from which the forward policy file can be downloaded. 
#(config) policy local-path url 

Specifies the network path (indicated by url) from which the local policy file can be downloaded. 

#(config) policy no central-path 

Specifies that the current central policy file URL setting should be cleared. 

#(config) policy no forward-path 

Specifies that the current forward policy file URL setting should be cleared. 

#(config) policy no local-path 

Specifies that the current local policy file URL setting should be cleared. 

#(config) policy no notify 

Specifies that no e-mail notification should be sent if the central policy file should change. 

#(config) policy no subscribe 

Specifies that the current policy should not be automatically updated in the event of a central policy 
change. 

#(config) policy no vpm-cpl-path 

Clears the network path to download VPM CPL policy. 

#(config) policy no vpm-software 

Clears the network path to download VPM software. 

#(config) policy no vpm-xml-path 

Clears the network path to download VPM XML policy. 

#(config) policy notify 

Specifies that an e-mail notification should be sent if the central policy file should change. 

#(config) policy order order of v)pm, l)ocal, c) entral 
Specifies the policy evaluation order. 

#(config) policy poll-interval minutes 

Specifies the number of minutes that should pass between tests for central policy file changes. 

#(config) policy poll-now 

Tests for central policy file changes immediately. 

#(config) policy proxy-default {allow | deny} 
allow: The default proxy policy is allow, 
deny: The default proxy policy is deny. 

#(config) policy reset 
Clears all policies. 

#(config) policy subscribe 

Indicates that the current policy should be automatically updated in the event of a central policy change. 
#(config) policy vpm-cpl-path url 

Specifies the network path (indicated by url) from which the vpm-cpl policy file can be downloaded. 
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#(config) policy 



#(config) policy 



#(config) policy vpm- software uri 

Specifies the network path to download the VPM software. 

#(config) policy vpm-xml-path urI 

Specifies the network path (indicated by uri) from which the vpm-xml policy file can be downloaded. 

For More Information 

□ Volume 6: VPM and Advanced Policy 

Example 

SGOS# (config) policy local-path http://www.serverl.coin/local.txt 

ok 

SGOS# (config) policy central-path http://www.server2.com/central.txt 

ok 

SGOS# (config) policy poll-interval 10 
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#(config) profile 



#(config) profile 



#(config) profile 

Synopsis 

Sets your system profile to normal (the default setting) or portal (to accelerate the server). 

Syntax 

#(config) profile bwgain 

Sets your system profile to bandwidth gain. 

#(config) profile normal 

Sets your system profile to normal. 

#(config) profile portal 

Sets your system profile to portal. 

For More Information 

□ Volume 2: Proxies and Proxy Services 

Example 

SGOS# (config) profile normal 

ok 
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#(config) proxy-services 



#(config) proxy-services 



#(config) proxy-services 

Synopsis 

Manages the proxy services on the SG appliance. 

Syntax 

#(config) proxy- services 

This changes the prompt to: 

#(config proxy- services) 



Subcommands 



Note: Additional information is found under options that are h 5 rperlinked (blue). 



#(config proxy- services) create service_ type service_name 

Creates a proxy service of the type and name that you specify. For more information on creating specific 
proxy services, see Available Service Types on page 228. 

#(config proxy-services) delete service_name 
Deletes the specified proxy service. 

#(config proxy-services) dynamic-bypass 

Changes the prompt to # (conf ig dynamic-bypass) on page 230 to allow you to manage 
dynamic-bypass settings. 

#(config proxy-services) edit service_name 

Allows you to edit a proxy service of the specified name. For more information on editing specific proxy 
services, see Available Service Types on page 228. 

#(config proxy- services) exit 
Returns to the # ( conf ig) prompt. 

#(config proxy- services) restricted-intercept 

Changes the prompt to # (config restricted-intercept) on page 244 to allow you to restrict 
interception to a limited number of clients and servers. 

# (config proxy- services) static-bypass 

Changes the prompt to # (config static-bypass) on page 232 to allow you to manage 
static-bypass settings. 

# (config proxy- services) view {dynamic -bypass | services] static-bypass} 

Allows you to view proxy service parameters. 

Available Service Types 

You can create proxy services using the following service types: 



Note: The service types listed below are not necessarily the service names you use. The S 5 mtax for 

creating a service l 5 rpe is # (config proxy- services) create service_type service_name, where 
service_type is one of those listed below and service_name is of your choosing. 



□ 

□ 

□ 



# (config 
# (config 
# (config 



aol-im) on page 233 
dns) on page 235 
endpoint-mapper) on page 236 
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#(config) proxy-services 



#(config) proxy-services 



□ 


# (config 


ftp) on page 237 


□ 


# (config 


http) on page 238 


□ 


# (config 


https -reverse -proxy) on page 240 


□ 


# (config 


itims ) on page 242 


□ 


# (config 


msn- im) on page 243 


□ 


# (config 


rtsp) on page 245 


□ 


# (config 


socks ) on page 246 


□ 


# (config 


ssl) on page 247 


□ 


# (config 


tcp-tunnel) on page 248 


□ 


# (config 


telnet) on page 250 


□ 


# (config 


yahoo - im) on page 251 



For More Information 

□ Volume 2: Proxies and Proxy Services 



Example 



#(config proxy-services) 
ok 

#(config proxy-services) 
#(config tcp_tunnel_2 ) ? 
add 

attribute 

bypass 

exit 

intercept 

remove 

view 



create tcp- tunnel tcp_tunnel_2 

edit tcp_tunnel_2 

Add a listener 

Configure service attributes 

Change a particular listener's action to bypass 

Return to (config proxy- services ) prompt 

Change a particular listener's action to intercept 

Remove a listener 

Show proxy service configuration 
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#(config) proxy-services 



#(config dynamic-bypass) 



#(config dynamic-bypass) 

Synopsis 

Dynamic bypass provides a maintenance-free method for improving performance of the SG appliance 

by automatically compiling a list of requested URLs that return various kinds of errors. 

Syntax 

#(config) proxy- services 

#(config proxy- services) dynamic -bypass 

The prompt changes to: 

#(config dynamic-bypass) 

Subcommands 

#(config dynamic-bypass) clear 
Clears all dynamic bypass entries. 

#(config dynamic-bypass) disable 
Disables dynamic bypass . 

#(config dynamic-bypass) enable 
Enables dynamic bypass. 

#(config dynamic-bypass) exit 

Exits to the # (config proxy- services) prompt. 

#(config dynamic-bypass) max-entries number_of_entries 

Specifies the maximum number of dynamic-bypass entries. Connections that match entries in the 
dynamic bypass list are not intercepted by the application proxies. Entries in the dynamic bypass list 
eventually time out based on the configuration. If the list grows beyond its configured size, the oldest 
entry is removed 

# (config dynamic-bypass) no trigger {all | connect-error | non-http | 
receive-error | 400 | 403 | 405 | 406 | 500 | 502 | 503 | 504} 

Disables dynamic bypass for the specified HTTP response code, all HTTP response codes, or all 
non-HTTP responses. Values are specified below. 



Event Value 


Description 


all 


Enables all dynamic bypass triggers. 


non-http 


Enables dynamic bypass for non-HTTP responses. 


connect-error 


Enables dynamic bypass for any cormection failure to the origin content server, 
including timeouts. 


receive-error 


Enables dynamic bypass for when a TCP connection to an origin content server 
succeeds, but the cache does not receive an HTTP response. 


400 


Enables dynamic bypass for HTTP 400 responses. 


401 


Enables dynamic bypass for HTTP 401 responses. 


403 


Enables dynamic bypass for HTTP 403 responses. 


405 


Enables dynamic bypass for HTTP 405 responses. 


406 


Enables dynamic bypass for HTTP 406 responses. 
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#(config) proxy-services 



#(config dynamic-bypass) 



Event Value 


Description 


500 


Enables dynamic bypass for HTTP 500 responses. 


502 


Enables dynamic bypass for HTTP 502 responses. 


503 


Enables dynamic bypass for HTTP 503 responses. 


504 


Enables dynamic bypass for HTTP 504 responses. 



#(config dynamic-bypass) server- threshold number_of_entries 

Specifies the number of client entries for all clients to bypass a server. Each dynamic entry can be 
identified by a server address or client/ server address pair. A dynamic entry without a client address 
means the client address is a wildcard address. For example, if the server threshold is set to 10 and there 
are already nine dynamic entries with different client addresses for the same server address, the next 
time a new dynamic entry is added to the same server address but contains a different client address, the 
SG appliance compresses the nine dynamic entries into one dynamic entry with server address only; all 
clients going to that server address are bypassed. 

#(config dynamic-bypass) timeout minutes 
Sets the dynamic-bypass timeout interval in minutes. 

#(config dynamic-bypass) trigger {all | connect-error | non-http | receive-error 
I 400 I 403 I 405 | 406 | 500 | 502 | 503 | 504} 

Enables dynamic bypass for the specified HTTP response code, all HTTP response codes, or all 
non-HTTP responses. 

#(config dynamic-bypass) view (configuration | filter {* | all | 
client_ip_address \ cl ient_ip_address/ subnet -mask) {* | all | 
server_ip_address \ server_ip_address/ subnet -mask]) \ <Enter>} 

Allows you to view the dynamic-bypass configuration or to filter the dynamic-bypass list on the 
parameters above. 

For More Information 

□ Volume 2: Proxies and Proxy Services 

□ Volume 10: Content Policy Language Guide 

Example 

#(config) proxy- services 

#(config proxy-services) dynamic -bypass 

#(config dynamic-bypass) clear 
ok 

#(config dynamic-bypass) enable 

WARNING : 

Requests to sites that are put into the dynamic bypass list will 
bypass future policy evaluation. This could result in subversion 
of on-box policy. The use of dynamic bypass is cautioned, 
ok 

#(config dynamic-bypass) trigger all 
ok 
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#(config) proxy-services 



#(config static-bypass) 



#(config static-bypass) 

Synopsis 

Static bypass prevents the SG appliance from transparently accelerating requests to servers that 
perform IP aufhenficafion wifh clienfs. When a requesf mafches an IP address and subnef mask 
specificafion, fhe requesf is senf fo fhe designafed gafeway wifhouf going fhrough fhe SG appliance. 

Syntax 

#(config) proxy- services 

#(config proxy-services) static-bypass 
#(config static-bypass) 



Subcommands 

#(config static-bypass) add {all | client_ip_address \ client_ip_address/ 
subnet-mask} (all | server_ip_address \ server_ip_address/ subnet -mask] 

Allows you to add a listener with the parameters you specify 

#(config static-bypass) exit 

Exits from the #(config static-bypass) mode and returns to the # (config proxy- services) 
mode. 

#(config static-bypass) view (filter {* | all | client_ip_address \ 
client_ip_address/ subnet-mask] {* | all | server_ip_address \ 
server_ip_address/ subnet-mask] ] | <Enter>} 

Allows you to view static bypass entries based on the filters you specify. 

For More Information 

□ Volume 2: Proxies and Proxy Services 

Example 

SGOS# (config proxy- services) static-bypass 

SGOS # (config static-bypass) add 10.9.17.135 all 

ok 
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#(config) proxy-services 



#(config aol-im) 



#(config aol-im) 

Synopsis 

Enters the subcommand mode to allow you to manage a specific proxy service. 

Syntax 

#(config proxy- services) create service_type service_name 
#(config proxy-services) edit service_name 
This changes the prompt to : 

#(config service_name) 

Subcommands 

#(config service_name) add all {ip_address \ ip_address/subnet-mask} {port \ 
first_port-last_port] [intercept | bypass] 

Allows you to add a listener with the parameters you specify. 

#(config service_name) attribute reflect-client-ip {disable | enable} 

Enables or disables sending of client’s IP address instead of the SG's IP address. 

#(config service_name) bypass {all \ ip_address \ ip_address/subnet-mask} [port \ 
first_port-last_port } 

Changes the behavior from intercept to bypass for the listener you specify. 

#(config service_name) exit 

Exits to the # (config proxy-services) prompt. 

#(config service_name) intercept {all \ ip_address \ ip_address/subnet-mask] {port 
I first_port-last_port] 

Changes the behavior from bypass to intercept for the listener you specify. 

# (config service_name) view 
Views the specified proxy service. 

For More Information 

□ Volume 2: Proxies and Proxy Services 

Example 

SGOS# (config proxy- services) create aol-im aoll 
SGOS# (config proxy-services) edit aoll 

SGOS # (config aoll) attribute reflect-client-ip enable 

ok 
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#(config) proxy-services 



#(config cifs) 



#(config cifs) 

Synopsis 

Enters the subcommand mode to allow you to manage a specific proxy service. 

Syntax 

#(config proxy- services) create service_type service_name 
#(config proxy-services) edit service_name 

This changes the prompt to: 

#(config service_name) 

Subcommands 

#(config service_name) add {transparent | ip_address \ ip_address/ subnet -mask] 
{port I first_port-last_port] [intercept | bypass] 

Allows you to add a listener with the parameters you specify. 

#(config service_name) attribute adn-optimize (disable | enable} 

Controls whether to optimize bandwidth usage when connecting upstream using an ADN turmel. 

#(config service_name) ) attribute ref lect-client-ip (disable | enable} 

Enables or disables sending of client's IP address instead of the SG's IP address. 

#(config service_name) attribute use-adn (disable | enable} 

Controls whether ADN is enabled for a specific service. Enabling ADN does not guarantee the 
connections are accelerated by ADN. The actual enable decision is determined by ADN routing (for 
explicit deployment) and network setup (for transparent deployment). 

#(config service_name) bypass { transparent | ip_address \ ip_address/subnet-mask] 
{port I first_port-last_port] 

Change the behavior from intercept to bypass for the listener you specify. 

#(config service_name) exit 

Exits to the # (config proxy-services) prompt. 

#(config service_name) intercept {transparent | ip_address \ 
ip_address/subnet-mask] [port \ first_port-last_port] 

Change the behavior from bypass to intercept for the listener you specify. 

# (config service_name) view 
Views the specified proxy service. 

For More Information 

□ Volume 2: Proxies and Proxy Services 

Example 

SGOS# (config proxy- services) create cifs cifsl 

SGOS# (config proxy-services) edit cifsl 

SGOS # (config cifsl) attribute adn-optimize enable 

ok 
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#(config) proxy-services 



#(config dns) 



#(config dns) 

Synopsis 

Enters the subcommand mode to allow you to manage a specific proxy service. 

Syntax 

#(config proxy- services) create service_type service_name 

#(config proxy-services) edit service_name 

This changes the prompt to: 

#(config service_name) 

Subcommands 

#(config service_name) add {transparent | explicit | all | ip_address \ 
ip_address/subnet-mask} {port \ first_port-last_port] [intercept | bypass] 
Allows you to add a listener with the parameters you specify. 

#(config service_name) attribute reflect-client-ip (disable | enable} 

Enables or disables sending of client's IP address instead of the SG's IP address. 

#(config service_name) bypass (transparent | explicit | all | ip_address \ 
ip_address/ subnet -mask} [port \ first_port-last_port] 

Change the behavior from intercept to bypass for the listener you specify. 

#(config service_name) exit 

Exits to the # (config proxy- services) prompt. 

#(config service_name) intercept (transparent | explicit | all | ip_address \ 
ip_address/subnet-mask] (port | first port-last port] 

Change the behavior from bypass to intercept for the listener you specify. 

# (config service_name) view 
Views the specified proxy service. 

For More Information 

□ Volume 2: Proxies and Proxy Services 

Example 

SGOS# (config proxy- services) create dns dnsl 

SGOS# (config proxy- services) edit dnsl 

SGOS # (config dnsl) attribute reflect-client-ip enable 

ok 
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#(config) proxy-services 



#(config endpoint-mapper) 



#(config endpoint-mapper) 



Synopsis 

Enters the subcommand mode to allow you to manage a specific proxy service. 

Syntax 

#(config proxy- services) create service_type service_name 
#(config proxy-services) edit service_name 
This changes the prompt to: 

#(config service_name) 

Subcommands 

#(config proxy- services service_name) add {all | ip_address \ 

ip_address/ subnet -mask} [port \ first_port-last_port] [intercept | bypass] 
Allows you to add a listener with the parameters you specify. 

#(config service_name) attribute adn-optimize {disable | enable} 

Controls whether to optimize bandwidth usage when connecting upstream using an ADN turmel. 

#(config service_name) attribute ref lect-client-ip {disable | enable}} 

Enables or disables sending of client's IP address instead of the SG's IP address. 

#(config service_name) attribute use-adn {disable | enable} 

Controls whether ADN is enabled for a specific service. Enabling ADN does not guarantee the 
connections are accelerated by ADN. The actual enable decision is determined by ADN routing (for 
explicit deployment) and network setup (for transparent deployment). 

#(config service_name) bypass {all | ip_address \ ip_address/subnet-mask} {port \ 
first_port-last_port } 

Change the behavior from intercept to bypass for the listener you specify. 

#(config service_name) exit 

Exits to the # (config proxy-services) prompt. 

#(config service_name) intercept {all | ip_address \ ip_address/subnet-mask} 
{port I first_port-last_port] 

Change the behavior from bypass to intercept for the listener you specify. 

# (config service_name) view 
Views the specified proxy service. 

For More Information 

□ Volume 2: Proxies and Proxy Services 



Example 



SGOS# (config 
SGOS# (config 
SGOS# (config 
ok 



proxy- services) create endpoint -mapper 
proxy- services) edit epmapperl 
epmapperl) add all 10003 



epmapperl 
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#(config) proxy-services 



#(config ftp) 



#(config ftp) 

Synopsis 

Enters the subcommand mode to allow you to manage a specific proxy service. 

Syntax 

#(config proxy- services) create service_type service_name 
#(config proxy-services) edit service_name 
This changes the prompt to: 

#(config service_name) 

Subcommands 

#(config service_name) add {all | ip_address \ ip_address/ subnet -mask) (port | 
first_port-last_port] [intercept | bypass] 

Allows you to add a listener with the parameters you specify. 

#(config service_name) attribute reflect-client-ip (enable | disable} 

Enables or disables sending of client's IP address instead of the SG's IP address. 

#(config service_name) attribute adn- optimize (disable | enable} 

Controls whether to optimize bandwidth usage when connecting upstream using an ADN turmel. 

#(config service_name) attribute use-adn (disable | enable} 

Controls whether ADN is enabled for a specific service. Enabling ADN does not guarantee the 
connections are accelerated by ADN. The actual enable decision is determined by ADN routing (for 
explicit deployment) and network setup (for transparent deployment). 

#(config service_name) bypass (all | ip_address \ ip_address/subnet-mask) {port \ 
first_port-last_port } 

Change the behavior from intercept to bypass for the listener you specify. 

#(config service_name) exit 

Exits to the # (config proxy-services) prompt. 

#(config service_name) intercept (all | ip_address \ ip_address/subnet-mask) 
[port I first_port-last_port) 

Change the behavior from bypass to intercept for the listener you specify. 

# (config service_name) view 
Views the specified proxy service. 

For More Information 

□ Volume 2: Proxies and Proxy Services 

Example 

SGOS# (config proxy- services) create ftp ftpl 
SGOS# (config proxy-services) edit ftpl 
SGOS # (config ftpl) intercept all 10004 
ok 
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#(config) proxy-services 



#(config http) 



#(config http) 

Synopsis 

Enters the subcommand mode to allow you to manage a specific proxy service. 

Syntax 

#(config proxy- services) create service_type service_name 

#(config proxy-services) edit service_name 

This changes the prompt to: 

#(config service_name) 

Subcommands 

#(config service_name) add {transparent | explicit | all | ip_address \ 

ip_address/subnet-mask} {port \ first_port-last_port] [intercept | bypass] 
Allows you to add a listener with the parameters you specify. 

#(config service_name) attribute adn-optimize (disable | enable} 

Controls whether to optimize bandwidth usage when connecting upstream using an ADN turmel. 

#(config service_name) attribute authenticate-401 (disable | enable} 

All transparent and explicit requests received on the port always use transparent authentication (cookie 
or IP, depending on the configuration). This is especially useful to force transparent proxy authentication 
in some proxy-chaining scenarios. 

#(config service_name) attribute connect (disable | enable} 

This command is deprecated. Policy should be used instead. For example: 

; To block CONNECT destined to ports other then 443 
< Proxy > 

url . port= ! 443 http . method=CONNECT deny 

#(config service_name) attribute detect-protocol (disable | enable} 

Protocols that can be detected include: HTTP, P2P (eDonkey, BitTorrent, FastTrack, Gnutella), SSL, and 
Endpoint Mapper. 

#(config service_name) attribute head (disable | enable} 

This command is deprecated. Policy should be used instead. For example: 

; To block HEAD methods 
< Proxy > 

http . method=HEAD deny 

#(config service_name) attribute reflect-client-ip (disable | enable} 

Enables or disables sending of client’s IP address instead of the SG's IP address. 

#(config service_name) attribute use-adn (disable | enable} 

Controls whether ADN is enabled for a specific service. Enabling ADN does not guarantee the 
connections are accelerated by ADN. The actual enable decision is determined by ADN routing (for 
explicit deployment) and network setup (for transparent deployment). 

#(config service_name) bypass {transparent | explicit | all | ip_address \ 
ip_address/ subnet -mask} [port \ first_port-last_port] 

Change the behavior from intercept to bypass for the listener you specify. 

#(config service_name) exit 

Exits to the # (config proxy-services) prompt. 
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#(config) proxy-services 



#(config http) 



#(config service_name) intercept {transparent | explicit | all | ip_address \ 
ip_address/subnet-mask} {port \ first_port-last_port] 

Change the behavior from bypass to intercept for the listener you specify. 

#(config service_name) view 
Views the specified proxy service. 

For More Information 

□ Volume 2: Proxies and Proxy Services 

Example 

SGOS# (config proxy-services) create http http2 

SGOS# (config proxy-services) edit http2 

SGOS# (config http2) attribute authenticate-401 enable 

ok 
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#(config) proxy-services 



#(config https-reverse-proxy) 



#(config https-reverse-proxy) 

Synopsis 

Enters the subcommand mode to allow you to manage a specific proxy service. 

Syntax 

#(config proxy- services) create service_type service_name 

#(config proxy-services) edit service_name 

This changes the prompt to: 

#(config service_name) 

Subcommands 

#(config service_name) add {transparent | explicit | all | ip_address \ 

ip_address/ subnet -mask} [port \ first_port-last_port] [intercept | bypass] 
Allows you to add a listener with the parameters specified. 

#(config service_name) attribute adn-optimize (disable | enable} 

Controls whether to optimize bandwidth usage when connecting upstream using an ADN tunnel. 

#(config service_name) attribute ccl list_name 
CA Certificate List used for verifying client certificates. 

#(config service_name) attribute cipher-suite cipher-suite-l- 

Allows you to specify the cipher suites you want to use with the https-reverse-proxy service. 

#(config service_name) attribute forward-client-cert (disable | enable) 

When used with the verify-client attribute, puts the extracted client certificate information 
into a header that is included in the request when it is forwarded fo fhe OCS. The name of fhe 
header is Client-Cert. The header contains the certificate serial number, subject, validity dates 
and issuer (all as name=value pairs). The actual certificate is not forwarded. 

#(config service_name) attribute keyring keyring-ID 
Allows you to specify the keyring you want to use with this service. 

#(config service_name) attribute ref lect-client-ip (disable | enable}} 

Enables or disables sending of client's IP address instead of the SG's IP address. 

#(config service_name) attribute use-adn (disable | enable} 

Controls whether ADN is enabled for a specific service. Enabling ADN does not guarantee the 
connections are accelerated by ADN. The actual enable decision is determined by ADN routing (for 
explicit deployment) and network setup (for transparent deployment). 

#(config service_name) attribute ssl-versions (sslv2 | sslv3 | tlsvl | sslv2v3 | 
sslv2tlsvl I sslv3tlsvl | sslv2v3tlsvl } 

Allows you to select which versions of SSL you want to support. The default is to support SSL v2 and v3 
and enable TLS. 

#(config service_name) attribute verify-client (disable | enable} 

Requests and validates the SSL client certificate. 

#(config service_name) bypass (transparent | explicit | all | ip_address \ 
ip_address/ subnet -mask} {port \ first_port-last_port} 

Changes the behavior from intercept to bypass for the listener specified. 

#(config service_name) exit 

Exits to the #(config proxy- services) prompt. 
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#(config) proxy-services 



#(config https-reverse-proxy) 



#(config service_name) intercept {transparent | explicit | all | ip_address \ 
ip_address/subnet-mask} {port \ first_port-last_port] 

Change the behavior from bypass to intercept for the listener you specify. 

#(config service_name) view 
Views the specified proxy service. 

For More Information 

□ Volume 2: Proxies and Proxy Services 

Example 

SGOS# (config proxy-services) create https-reverse-proxy HTTPS_RP1 

SGOS# (config proxy-services) edit HTTPS_RP1 

SGOS# (config HTTPS_RP1) attribute ref lect-client-ip enable 

ok 
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#(config) proxy-services 



#(config mms) 



#(config mms) 

Synopsis 

Enters the subcommand mode to allow you to manage a specific proxy service. 

Syntax 

#(config proxy- services) create service_type service_name 
#(config proxy-services) edit service_name 

This changes the prompt to: 

#(config service_name) 

Subcommands 

#(config service_name) add {transparent | explicit | all | ip_address \ 

ip_address/ subnet -mask} [port \ first_port-last_port] [intercept | bypass] 
Allows you to add a listener with the parameters you specify. 

#(config service_name) attribute reflect-client-ip (disable | enable} 

Enables or disables sending of client's IP address instead of the SG's IP address. 

#(config service_name) bypass (transparent | explicit | all | ip_address \ 
ip_address/subnet -mask} [port \ firstport-lastport} 

Change the behavior from intercept to bypass for the listener you specify. 

#(config service_name) exit 

Exits to the # (config proxy-services) prompt. 

#(config service_name) intercept (transparent | explicit | all | ip_address \ 
ip_address/ subnet -mask} [port \ first_port-last_port} 

Change the behavior from bypass to intercept for the listener you specify. 

# (config service_name) view 
Views the specified proxy service. 

For More Information 

□ Volume 2: Proxies and Proxy Services 

Example 

SGOS# (config proxy- services) create mms mmsl 

SGOS# (config proxy- services) edit mmsl 

SGOS# (config mmsl) attribute reflect-client-ip enable 

ok 
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#(config) proxy-services 



#(config msn-im) 



#(config msn-im) 

Synopsis 

Enters the subcommand mode to allow you to manage a specific proxy service. 

Syntax 

#(config proxy- services) create service_type service_name 
#(config proxy-services) edit service_name 
This changes the prompt to: 

#(config service_name) 

Subcommands 

#(config service_name) add {all | ip_address \ ip_address/ subnet -mask} {port \ 

firstport-lastport] [intercept | bypass] 

Allows you to add a listener with the parameters you specify. 

#(config service_name) attribute reflect-client-ip {disable | enable} 

Enables or disables sending of client's IP address instead of the SG's IP address. 

#(config service_name) bypass {all | ip_address \ ip_address/ subnet-mask] (port | 
first_port-last_port) 

Changes the behavior from intercept to bypass for the listener you specify. 

#(config service_name) exit 

Exits to the # (config proxy-services) prompt. 

#(config service_name) intercept {all | ip_address \ ip_address/ subnet -mask] [port 
I first_port-last_port] 

Changes the behavior from bypass to intercept for the listener you specify. 

# (config service_name) view 
Views the specified proxy service. 

For More Information 

□ Volume 2: Proxies and Proxy Services 

Example 

SGOS# (config proxy- services) create msn-im msnl 

SGOS# (config proxy- services) edit msnl 

SGOS# (config msnl) attribute reflect-client-ip enable 

ok 
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#(config) proxy-services 



#(config restricted-intercept) 



#(config restricted-intercept) 

Synopsis 

By default, all clients and servers evaluate the entries in Proxy Services (Configuration > Services > 
Proxy Services) where the decision is made to intercept or b5rpass a connection. To restrict or reduce 
the clients and servers that can be intercepted by proxy services, use the restricted intercept list. The 
restricted intercept list is useful in a rollout, prior to full production, where you only want to intercept 
a subset of the clients. After you are in full production mode, the restricted intercept list can be 
disabled. 

Enabling restricted intercept only intercepts traffic specified in the client/server list. Disabling 
restricted intercept results in normal interception. 

Syntax 

#(config) proxy- services 

#(config proxy- services) restricted-intercept 
The prompt changes to: 

#(config restricted- intercept ) 



Subcommands 

#(config restricted- intercept ) {enable | disable) 

Enables or disabled the restricted-intercept list. 

#(config restricted- intercept ) add {all | client_ip \ client_ip/ subnet-mask] \ {all | 
server_ip | server_ip/ subnet -mask] 

Adds an entry to the restricted list, either a client or a server. 

#(config restricted- intercept ) remove {all | client_ip \ cl ient_ip/ subnet -mask] \ 
all I server_ip \ server_ip/ subnet -mask] 

Clears the specified client or server from the restricted list. 

#(config restricted- intercept ) view {<Enter> | filter {all | client_ip \ 
client_ip/ subnet-mask] \ {all | server_ip \ server_ip/ subnet -mask] 

Allows you view the entire list or to filter on specific clients or servers. 

For More Information 

□ Volume 2: Proxies and Proxy Services 

Example 

#(config) proxy- services 

#(config proxy- services) restricted-intercept 

#(config restricted- intercept ) add all 192.168.100.1 
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#(config) proxy-services 



#(config rtsp) 



#(config rtsp) 

Synopsis 

Enters the subcommand mode to allow you to manage a specific proxy service. 

Syntax 

#(config proxy- services) create service_type service_name 
#(config proxy-services) edit service_name 

This changes the prompt to: 

#(config service_name) 

Subcommands 

#(config service_name) add {transparent | explicit | all | ip_address \ 

ip_address/ subnet -mask} [port \ first_port-last_port] [intercept | bypass] 
Allows you to add a listener with the parameters you specify. 

#(config service_name) attribute reflect-client-ip (disable | enable} 

Enables or disables sending of client's IP address instead of the SG's IP address. 

#(config service_name) bypass (transparent | explicit | all | ip_address \ 
ip_address/ subnet -mask] (port | first_port-last_port] 

Change the behavior from intercept to bypass for the listener you specify. 

#(config service_name) exit 

Exits to the #(config proxy- services) prompt. 

#(config service_name) intercept (transparent | explicit | all | ip_address \ 
ip_address/subnet -mask] {port \ first port-last port] 

Change the behavior from bypass to intercept for the listener you specify. 

#(config service_name) view 
Views the specified proxy service. 

For More Information 

□ Volume 2: Proxies and Proxy Services 

Example 

SGOS# (config proxy- services) create rtsp rtspl 

SGOS# (config proxy- services) edit rtspl 

SGOS# (config rtspl) attribute reflect-client-ip enable 

ok 
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#(config) proxy-services 



#(config socks) 



#(config socks) 

Synopsis 

Enters the subcommand mode to allow you to manage a specific proxy service. 

Syntax 

#(config proxy- services) create service_type service_name 
#(config proxy-services) edit service_name 
This changes the prompt to: 

#(config service_name) 

Subcommands 

#(config service_name) add {explicit | ip_address \ ip_address/ subnet -mask] [port 
I first_port-last_port] [intercept | bypass] 

Allows you to add a listener with the parameters you specify. 

#(config service_name) attribute adn-optimize {disable | enable} 

Controls whether to optimize bandwidth usage when connecting upstream using an ADN turmel. 

#(config service_name) attribute detect-protocol (disable | enable} 

Detects the protocol being used. Protocols that can be detected include: HTTP, P2P (eDonkey, BitTorrent, 
FastTrack, Gnutella), SSL, and Endpoint Mapper. 

#(config service_name) attribute use-adn (disable | enable} 

Controls whether ADN is enabled for a specific service. Enabling ADN does not guarantee the 
connections are accelerated by ADN. The actual enable decision is determined by ADN routing (for 
explicit deployment) and network setup (for transparent deployment). 

#(config service_name) bypass (explicit | ip_address \ ip_address/ subnet -mask] 
(port I first_port-last_port] 

Change the behavior from intercept to bypass for the listener you specify. 

#(config service_name) exit 

Exits to the # (config proxy-services) prompt. 

#(config service_name) intercept (explicit | ip_address \ ip_address/subnet-mask] 
{port I first_port-last_port] 

Change the behavior from bypass to intercept for the listener you specify. 

# (config service_name) view 
Views the specified proxy service. 

For More Information 

□ Volume 2: Proxies and Proxy Services 

Example 

SGOS# (config proxy-services) create socks socksl 
SGOS# (config proxy-services) edit socksl 
SGOS# (config socksl) attribute adn-optimize enable 
ok 
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#(config) proxy-services 



#(config ssl) 



#(config ssl) 

Synopsis 

Enters the subcommand mode to allow you to manage a specific proxy service. 

Syntax 

#(config proxy- services) create service_type service_name 

#(config proxy-services) edit service_name 

This changes the prompt to: 

#(config service_name) 

Subcommands 

#(config service_name) add {transparent | ip_address \ ip_address/subnet-mask} 
{port I first_port-last_port} [intercept | bypass] 

Allows you to add a listener with the parameters you specify. 

#(config service_name) attribute adn-optimize (disable | enable} 

Controls whether to optimize bandwidth usage when connecting upstream using an ADN turmel. 

#(config service_name) attribute ref lect-client-ip (disable | enable} 

Enables or disables sending of client's IP address instead of the SG's IP address. 

#(config service_name) attribute use-adn (disable | enable} 

Controls whether ADN is enabled for a specific service. Enabling ADN does not guarantee the 
connections are accelerated by ADN. The actual enable decision is determined by ADN routing (for 
explicit deployment) and network setup (for transparent deployment). 

#(config service_name) bypass (transparent | ip_address \ ip_address/ subnet -mask] 
[port I first_port-last_port] 

Change the behavior from intercept to bypass for the listener you specify. 

#(config service_name) exit 

Exits to the # (config proxy-services) prompt. 

#(config service_name) intercept {transparent | ip_address \ 
ip_address/subnet-mask] [port \ first_port-last_port] 

Change the behavior from bypass to intercept for the listener you specify. 

# (config service_name) view 
Views the specified proxy service. 

For More Information 

□ Volume 2: Proxies and Proxy Services 

Example 

SGOS# (config proxy-services) create ssl ssll 

SGOS# (config proxy-services) edit ssll 

SGOS# (config ssll) add transparent 443 
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#(config) proxy-services 



#(config tcp-tunnel) 



#(config tcp-tunnel) 

Synopsis 

Enters the subcommand mode to allow you to manage a specific proxy service. 

Syntax 

#(config proxy- services) create service_type service_name 

#(config proxy-services) edit service_name 

This changes the prompt to: 

#(config service_name) 

Subcommands 

#(config service_name) add {transparent | explicit | all | ip_address \ 

ip_address/ subnet -mask} [port \ first_port-last_port] [intercept | bypass] 
Allows you to add a listener with the parameters you specify. 

#(config service_name) attribute adn-optimize (disable | enable} 

Controls whether to optimize bandwidth usage when connecting upstream using an ADN turmel. 

#(config service_name) attribute detect-protocol (disable | enable} 

Detects the protocol being used. Protocols that can be detected include: HTTP, P2P (eDonkey, BitTorrent, 
FastTrack, Gnutella), SSL, and Endpoint Mapper. 

#(config service_name) attribute early-intercept {disable | enable} 

Controls whether the proxy responds to client TCP connection requests before connecting to the 
upstream server. When early intercept is disabled, the proxy delays responding to the client until after it 
has attempted to contact the server. 

#(config service_name) attribute ref lect-client-ip (disable | enable} 

Enables or disables sending of client's IP address instead of the SG's IP address. 

#(config service_name) attribute use-adn (disable | enable} 

Controls whether ADN is enabled for a specific service. Enabling ADN does not guarantee the 
connections are accelerated by ADN. The actual enable decision is determined by ADN routing (for 
explicit deployment) and network setup (for transparent deployment). 

#(config service_name) bypass (transparent | explicit | all | ip_address \ 
ip_address/ subnet -mask} (port | first_port-last_port} 

Change the behavior from intercept to bypass for the listener you specify. 

#(config service_name) exit 

Exits to the # (config proxy-services) prompt. 

#(config service_name) intercept (transparent | explicit | all | ip_address \ 
ip_address/ subnet -mask} (port | first_port-last_port} 

Change the behavior from bypass to intercept for the listener you specify. 

# (config service_name) view 
Views the specified proxy service. 

For More Information 

□ Volume 2: Proxies and Proxy Services 
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#(config) proxy-services 



#(config tcp-tunnel) 



Example 



SGOS#(config proxy-services) 
SGOS#(config proxy-services) 
SGOS# (conf ig TCPl) attribute 
ok 



create tcp-tunnel TCPl 
edit TCPl 

early- intercept enable 
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#(config) proxy-services 



#(config telnet) 



#(config telnet) 



Synopsis 

Enters the subcommand mode to allow you to manage a specific proxy service. 

Syntax 

#(config proxy- services) create service_type service_name 

#(config proxy-services) edit service_name 

This changes the prompt to 

#(config service_name) 

Subcommands 

#(config service_name) add {transparent | explicit | all | ip_address \ 
ip_address/ subnet -mask} (port | first_port-last_port] [intercept | bypass] 
Allows you to add a listener with the parameters you specify. 

#(config service_name) attribute reflect-client-ip (disable | enable} 

Enables or disables sending of client's IP address instead of the SG's IP address. 

#(config service_name) bypass (transparent | explicit | all | ip_address \ 
ip_address/ subnet -mask] (port | first_port-last_port] 

Change the behavior from intercept to bypass for the listener you specify. 

#(config service_name) exit 

Exits to the # (config proxy-services) prompt. 

#(config service_name) intercept (transparent | explicit | all | ip_address \ 
ip_address/ subnet -mask] [port \ first_port-last_port] 

Change the behavior from bypass to intercept for the listener you specify. 

# (config service_name) view 
Views the specified proxy service. 

For More Information 

□ Volume 2: Proxies and Proxy Services 



Example 



SGOS# (config proxy-services) 
SGOS# (config proxy-services) 
SGOS # (config telnetl) view 



create telnet telnetl 
edit telnetl 



Service Name: 
Proxy : 
Attributes : 
Destination IP 



telnetl 

Telnet 

early- intercept 
Port Range 



Action 
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#(config) proxy-services 



#(config yahoo-im) 



#(config yahoo-im) 

Synopsis 

Enters the subcommand mode to allow you to manage a specific proxy service. 

Syntax 

#(config proxy- services) create service_type service_name 
#(config proxy-services) edit service_name 
This changes the prompt to: 

#(config service_name) 

Subcommands 

#(config service_name) add {all | ip_address \ ip_address/ subnet -mask} {port \ 
first_port-last_port] [intercept | bypass] 

Allows you to add a listener with the parameters you specify. 

#(config service_name) attribute reflect-client-ip {disable | enable} 

Enables or disables sending of client's IP address instead of the SG's IP address. 

#(config service_name) bypass {all | ip_address \ ip_address/ subnet -mask] {port | 
f irst_port - last_port } 

Changes the behavior from intercept to bypass for the listener you specify. 

#(config service_name) exit 

Exits to the # (config proxy-services) prompt. 

#(config service_name) intercept {all | ip_address \ ip_address/subnet-mask} [port 
I first_port-last_port] 

Changes the behavior from bypass to intercept for the listener you specify. 

# (config service_name) view 
Views the specified proxy service. 

For More Information 

□ Volume 2: Proxies and Proxy Services 

Example 

SGOS# (config proxy- services) create yahoo-im yahool 

SGOS# (config proxy- services) edit yahool 

SGOS# (config yahool) attribute reflect-client-ip enable 

ok 
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#(config) restart 



#(config) restart 



#(config) restart 

Synopsis 

Use this command to set restart options for the SG appliance. 

Syntax 

#(config) restart core-image {context | full | keep number | none} 
context: Indicates only core image context should be written on restart, 
full: Indicates full core image should be written on restart, 
keep numbers'. Specifies a number of core images to keep on restart, 
none: Indicates no core image should be written on restart. 

#(config) restart mode (hardware | software} 
hardware: Specifies a hardware restart, 
software: Specifies a software restart. 

For More Information 

□ Volume 10: Managing the Blue Coat SG Appliance 

Example 

SGOS# (config) restart mode software 

ok 
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#(config) return-to-sender 



#(config) return-to-sender 



#(config) return-to-sender 

Synopsis 

The return-to-sender feature eliminates urmecessary network traffic when fhe fhree following 
conditions are mef: 

□ The SG appliance has connecfions fo clienfs or servers on a differenf subnef. 

□ The shorfesf roufe fo fhe clienfs or servers is nof fhrough fhe defaulf gafeway. 

□ There are no sfafic roufes or RIP roufes defined fhaf apply fo fhe IP addresses of fhe clienfs 
and servers. 

Under fhese condifions, if fhe refurn-fo-sender feafure is enabled, fhe SG appliance remembers fhe 
MAG address of fhe lasf hop for a packef from fhe clienf or server and sends any responses or requesfs 
fo fhe MAC address insfead of fhe defaulf gafeway. 

Under fhe same condifions, if refurn-fo-sender is disabled, fhe SG appliance sends requesfs or 
responses fo fhe defaulf gafeway, which fhen sends fhe packefs fo fhe gafeway representing fhe lasf 
hop fo fhe SG appliance for fhe associafed connecfion. This effecfively doubles fhe number of packefs 
fransmiffed on fhe LAN compared fo when refurn-fo-sender is enabled. 

Inbound refum-fo-sender affecfs cormecfions inifiafed fo fhe SG appliance by clienfs. Oufbound 
refurn-fo-sender affecfs cormecfions inifiafed by fhe SG appliance fo origin servers. 



Note: Retum-to-sender functionality should only be used if sfafic roufes cannof be defined for fhe 

clienfs and servers or if routing informafion for fhe clienfs and servers is nof available fhrough RIP 
packefs. 



Wifh refurn-fo-sender, you can use load balancing. By defaulf, all fraffic flows ouf of one card. If 
refurn-fo-sender is enabled, fraffic is refurned on fhe card if originally came from. 

Syntax 

#(config) return-to-sender inbound {disable | enable} 

Enables or disables return-to-sender for inbound sessions. 

#(config) return-to-sender outbound (disable | enable) 

Enables or disables return-to-sender for outbound sessions. 

#(config) return-to-sender version (1 | 2} 

Enables return-to-sender (RTS) versions 1 or 2. 

In version 1, the RTS route is created at Layer-3 and stored globally, thus being interface agnostic. 

RTS version 2 was introduced to get around this multi-interface limitation. With version 2, TCP now 
stores a per-socket RTS route that contains both the destination MAC address and interface information. 
After the SYN is received by the SG appliance, all subsequent packets on that socket traverses the 
interface on which the SYN was received. 

Note: All current sockets tied to that interface will time out. However, subsequent and existing TCP 
connections continue to fimction normally on the other interfaces. 

For More Information 

□ Volume 5: Advanced Networking 

Example 

SGOS# (config) return-to-sender inbound enable 

ok 
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#(config) reveal-advanced 



#(config) reveal-advanced 



#(config) reveal-advanced 



□ # reveal -advanced on page 71. 
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#(config) rip 



#(config) rip 



#(config) rip 

Synopsis 

Use this command to set RIP (Routing Information Protocol) configuration options. 

Using RIP, a host and router can send a routing table list of all ofher known hosfs fo ifs closesf 
neighbor hosf every 30 seconds. The neighbor hosf passes fhis informafion on fo ifs nexf closesf 
neighbor and so on unfil all hosfs have perfecf knowledge of each ofher. (RIP uses fhe hop counf 
measuremenf fo derive nefwork disfance.) Each hosf in fhe network can fhen use fhe routing fable 
informafion fo defermine fhe mosf efficienf roufe for a packef. 

The RIP configuration is defined in a configuration file. To configure RIP, firsf creafe a fexf file of RIP 
commands and fhen load fhe file by using fhe load command. 

Syntax 

#(config) rip disable 

Disables the current RIP configuration. 

#(config) rip enable 

Enables the current RIP configuration. 

#(config) rip no path 

Clears the current RIP configuration path as determined using the rip path url command. 
#(config) rip path url 

Sets the path to the RIP configuration file to the URL indicated by url. 

For More Information 

□ Volume 5: Advanced Networking 

Example 

SGOS# (config) rip path 10 . 25 . 3 6 . 47/files/rip . txt 

ok 
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#(config) security 



#(config) security 



#(config) security 

The # (conf ig) security command is used for security, authentication, and authorization. The 
security command, by itself, carmot be used. You must use security commands with the options 
discussed in Subcommands below. 

Synopsis 

The SG appliance provides the ability to authenticate and authorize explicit and transparent proxy 
users using industry-standard authentication services. 

Syntax 

#(config) security [subcommands] 

Subcommands 

Modes in the security command are divided into three categories: 

□ Console Access and Authorization 

□ Realms 

□ Transparent Proxy 



Note: While the commands are listed in functional order below, they are discussed in alphabetical 

order in the pages that follow. Each of the options in blue are h 5 rperlinked so you can go directly to the 
command. 



Console Access and Authorization 

The options in this category do not enter a new submode. These options allow you to manage 
passwords and usernames for the SG appliance itself. 

#(config security allowed-access) on page 259 

Adds or removes the specified IP address to the access control list. 

#(config security default-authenticate-mode) on page 267 

Sets the default authenticate . mode to auto or to sg2 . 

#(config security destroy-old-password) on page 268 

Destroys recoverable passwords in configuration used by previous versions. 

#(config security enable-password and hashed-enable-password) on page 269 

Sets the console enable password to the password specified. 

#(config security enforce-acl) on page 270 

Enables or disables the console access control list. 

#(config security front -panel -pin and hashed-front-panel-pin) on page 271 

Sets a four-digit PIN to restrict access to the front panel of the SG appliance. 

#(config security management) on page 283 

Manages display settings. 

#(config) security password and hashedpassword on page 286 

Specifies the console enable password in hashed format. 

#(config) security password-display on page 287 

Specifies format to display passwords in show conf ig output. 
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#(config) security 



#(config) security 



#(config) security users on page 301 

Manages user log ins, log outs and refresh data 

#(config) security username on page 302 

Specifies the console username. 



Realms 

Multiple authentication realms can be used on a single SG appliance. Multiple realms are essential if 
the enterprise is a managed provider or the company has merged with or acquired another company. 
Even for companies using only one protocol, multiple realms might be necessary, such as the case of a 
company using an LDAP server with multiple authentication boundaries. You can use realm 
sequencing to search the multiple realms all at one time. 



Note: Up to 40 realms per t 5 rpe (such as certificate, authentication forms, and RADIUS) are allowed. 



#(config security authentication- forms) on page 260 

Creates forms for authentication and manage them. 

#(config security certificate) on page 262 

Creates and manages certificate realms. 

#(config security coreid) on page 264 

Creates and manages COREid realms. 

#(config security iwa) on page 272 

Creates and manages IWA realms. 

#(config security Idap) on page 275 

Creates and manages LDAP realms. 

#(config) security local on page 279 

Creates and manages local realms. 

#(config security local -user- list) on page 281 

Creates and manages local user lists. 

#(config security novell-sso) onpage284 
Creates and manages Novell SSO realms. 

#(config security policy- substitution) on page 288 

Creates and manage policy-substitution realms. 

#(config security radius) on page 290 

Creates and manages RADIUS realms. 

#(config security request-storage) on page 293 

Creates and manages request-storage realms. 

#(config security sequence) on page 294 

Creates and manages sequence realms. 

#(config security siteminder) on page 296 

Creates and manages SiteMinder realms. 

#(config windows-sso) on page 303 

Creates and manages Windows SSO realms. 

#(config security xml) on page 305 
Creates and manages XML realms. 

Transparent Proxy 

The transparent proxy authentication commands allows you 
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#(config) security 



#(config) security 



#(config) security transparent-proxy-auth on page 300 

Specifies certain transparent proxy authentication settings. 

For More Information 

□ Volume 4: Securing the Blue Coat SG Appliance 

Example 

#(config) show security 
Account : 

Username : "admin" 

Hashed Password: $l$a2zTlEE$lb88R3SXUTXS . zOVlhSdbO 
Hashed Enable Password; $l$xQnqGerX$LU65b2 0trsIAF6yJox26L . 
Hashed Front Panel PIN; " $l$ThSEiBlv$seyBhSxtTXEtUGDZ5NOBl/ " 
Management console display realm name; "Aurora" 

Management console auto-logout timeout: Never 
Access control is disabled 
Access control list (source, mask) : 

Flush credentials on policy update is enabled 
Default authenticate . mode : auto 
Transparent proxy authentication: 

Method: cookie 
Cookie type: session 

Cookie virtual -url; "www.cfauth.com/" 

IP time-to- live : 15 
Local realm: 

No local realm is defined. 

RADIUS realm: 

No RADIUS realm is defined. 

LDAP realm (s) : 

No LDAP realm is defined. 

IWA realm (s) : 

No IWA realm is defined. 

Certificate realm(s) : 

No certificate realms are defined. 

SiteMinder realm (s) : 

No realms defined. 

COREid realm (s) : 

No realms defined. 

Policy-substitution realm(s) : 

No realms defined. 

Realm sequence (s) : 

No realm sequences defined. 
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#(config) security 



#(config security allowed-access) 



#(config security allowed-access) 

Synopsis 

Adds or removes IP addresses to the console access control list. 

Syntax 

#(config) security allowed-access [subcommands] 



Subcommands 

#(config) security allowed-access add source_ip [ip_mask] 
Adds the specified IP address to the access control list. 

#(config) security allowed-access remove source_ip [ip_mask] 
Removes the specified IP from the access control list. 

For More Information 

□ #(config security enforce-acl) on page 270 

□ Volume 1: Getting Started 

Example 

#(config) security allowed-access add 10.25.36.47 
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#(config) security 



#(config security authentication-forms) 



#(config security authentication-forms) 

You can use forms-based authentication exceptions to control what your users see during 
authentication, link. 

To create and put into use forms-based authentication, you must complete the following sfeps: 

□ Creafe a new form or edif one of fhe exisfing aufhenficafion form excepfions 

□ Sef sforage options 

□ Sef policies 

Synopsis 

Allows you fo creafe and manage aufhenficafion forms. 

Syntax 

#(config) security authentication- forms [subcommands] 



Subcommands 

#(config) security authentication- forms copy [source_form_name 
target_form_name 

Changes the name of a form. Note that you cannot change the form type. 

#(config) security authentication- forms create { authentication- form | 
new-pin-form | query- form} form_name 
Creates a new authentication form using the form type you specify. 

#(config) security authentication- forms delete form_name 
Deletes an authentication form 

#(config) security authentication- forms inline form_name eof_marker 
Installs an authentication form from console input. 

#(config) security authentication- forms load form_name 
Downloads a new authentication form. 

#(config) security authentication- forms no path [form_name] 

Negates authentication-form configuration. 

#(config) security authentication- forms path [form_name] path 

Specifies the path (URL or IP address) from which to load an authentication form, or the entire set of 
authentication forms. 

#(config) security authentication- forms view 

Views the form specified or all forms. 

For More Information 

□ #(config security request-storage) on page 293 

□ Volume 4: Securing the Blue Coat SG Appliance 
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#(config) security 



#(config security authentication-forms) 



Example 

#(config) security authentication- forms 

#(config authentication- forms ) create form_type form_name 
ok 

where forfn_type indicates the default authentication-form, new-pin-form, or 
query- form and form_name is the name you give the form . 
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#(config) security 



#(config security certificate) 



#(config security certificate) 

After an SSL session has been established, the user is asked to select the certificate to send to the SG 
appliance. If the certificate was signed by a Certificate Signing Authority that the SG appliance trusts, 
including itself, then the user is considered authenticated. The username for the user is the one 
extracted from the certificate during authentication. 

You do not need to specify an authorization realm if: 

□ The policy does not make any decisions based on groups 

□ The policy works as desired when all certificate realm-authenticated users are not in any 
group 

Synopsis 

Allows you to create and manage certificate realms. 



Syntax 

#(config) security certificate [subcommands] 



Subcommands 

#(config) security certificate create-realm realm_name 
Creates the specified certificate realm. 

#(config) security certificate delete-realm realm_name 
Deletes the specified certificate realm. 

#(config) security certificate edit-realm realm_name 
Changes the prompt. See Submodes for details. 

#(config) security certificate view [realm_name] 

Displays the configuration of all certificate realms or just the configuration for realm_name if specified. 

Submodes 

#(config) security certificate edit-realm realm_name 

This changes the prompt to: 

#(config certificate_realm) 

Commands in this submode: 

#(config certificate certificate_realm) authorization append-base-dn {disable | 
dn dn_to_append \ enable} 

Disables or enables appending of the base DN to the authenticated username, or specifies the base DN to 
append. If no base DN is specified, then the first base DN in the LDAP authorization realm is used. 
Applies to LDAP authorization realms only 

#(config certificate certificate_realm) authorization container-attr-list 
list_of_attribute_names 

Specifies the attributes from the certificate subject to use in constructing the user DN. E.g. "o, ou". The 
list needs to be quoted if it contains spaces. 

#(config certificate certificate_realm) authorization no (container-attr-list | 
realm-name} 

Clears the container attribute list or the authorization realm. 
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#(config) security 



#(config security certificate) 



#(config certificate certificate_realm) authorization realm-name 
author! zati on_realm_name 

Specifies the authorization realm to use. Only LDAP and local realms are valid authorization realms. 

#(config certificate certificate_realm) authorization username-attribute 
username_attrihute 

Specifies the attribute in the certificate subject that identifies the user's relative name. The default is "cn". 

#(config certificate certificate_realm) cookie {persistent {enable | disable! I 
verify-ip {enable | disable} 

Specifies whether to enable persistent or session cookies, and whether to verify the IP address of the 
cookie. 

#(config certificate certificate_realm) display-name display_name 
Specifies the display name for this realm. 

#(config certificate certificate_realm) exit 

Exits #(conf ig certificate_realm) mode and returns to (conf ig) mode. 

#(config certificate certificate_realm) inactivity-timeout seconds 
Specifies the amount of time a session can be inactive before being logged out. 

#(config certificate certificate_realm) ref resh- time {authorization-refresh 
seconds \ surrogate-refresh seconds} 

Sets the refresh time for authorization and surrogates. 

#(config certificate certificate_realm) rename new_realm_name 
Renames this realm to new_realm_name. 

#(config certificate certificate_realm) view 
Displays this realm's configuration. 

#(config certificate certificate_realm) virtual-url uri 

Specifies the virtual URL to use for this realm. If no URL is specified the global transparent proxy virtual 
URL is used. 



For More Information 

□ #(config security Idap) on page 275 

□ #(config) security local on page 279 

□ Volume 4: Securing the Blue Coat SG Appliance 



Example 



#(config) security certificate 

#(config certificate testcert) 
ok 

#(config certificate testcert) 
ok 

#(config certificate testcert) 
# (conf ig) 



edit-realm testcert 
no container-attr-list 

cache-duration 800 

exit 
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#(config) security 



#(config security coreid) 



#(config security coreid) 

Within the COREid Access System, BCAAA acts as a custom AccessGate. It communicates with the 
COREid Access Servers to authenticate the user and to obtain a COREid session token, authorization 
actions, and group membership information. 

Synopsis 

Allows you to create and manage COREid realms. 



Syntax 

#(config) security coreid [subcommands] 

Subcommands 

#(config) security coreid create-realm realm_name 
Creates the specified COREid realm 

#(config) security coreid delete-realm realm_name 
Deletes the specified COREid realm. 

#(config) security coreid edit-realm realm_name 
Changes the prompt. See Submodes for details. 

#(config) security coreid view [realm_name] 

Displays the configuration of all COREid realms or just the configuration for realm_name if specified. 

Submodes 

#(config) security coreid edit-realm realm_name 
This changes fhe prompf fo: 

#(config coreid realm_name) 

Commands in fhis submode: 

#(config coreid realm_name) access-server-hostname hostname 
The hostname of the primary Access Server. 

#(config coreid realm_name) access-server-id id 
The ID of the primary Access Server. 

#(config coreid realm_name) access-server-port port 
The port of the primary Access Server 

#(config coreid realm_name) add-header-responses disable | enable 

When enabled, authorization actions from the policy domain obtained during authentication are added 
to each request forwarded by the SG appliance. Note that header responses replaces any existing header 
of the same name; if no such header exists, the header is added. Cookie responses replace a cookie 
header with the same cookie name; if no such cookie header exists, one is added. 

#(config coreid realm_name) alternate-agent accessgate- id name 
The ID of the alternate AccessGate agent. 

#(config coreid realm_name) alternate-agent encrypted- secret 

encrypted_shared_secret 

The encrypted password associated with the alternate AccessGate. (Passwords can be up to 64 characters 
long and are always case sensitive.) The primary use of the encrypted-secret command is to allow the SG 
appliance to reload a password that it encrypted. If you choose to use a third-party encryption 
application, be sure it supports RSA encryption, OAEP padding, and is Base64 encoded with no 
newlines | 
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#(config) security 



#(config security coreid) 



#(config coreid realm_name) alternate-agent host hostname 

The hostname or the IP address of the alternate system that contains the agent. 

#(config coreid realm_name) alternate-agent port port 
The port where the alternate agent listens. 

#(config coreid realm_name) alternate-agent secret shared_secret 

The password associated with the alternate AccessGate. (Passwords can be up to 64 characters long and 
are always case sensitive.) 

#(config coreid realm_name) always-redirect-offbox {disable | enable} 

Forces authentication challenges to always be redirected to an off-box URL. 

#(config coreid realm_name) cache -duration seconds 

Specifies the length of time in seconds that user and administrator credentials received are cached. 
Credentials can be cached for up to 3932100 seconds. The default value is 9 0 0 seconds (15 minutes). 

#(config coreid realm_name) case-sensitive (disable | enable} 

Specifies whether the username and group comparisons on the SG appliance should be case-sensitive. 

#(config coreid realm_name) certif icate-path certificate_path 

If Cert mode is used, the location on the BCAAA host machine where the key, server and CA chain 
certificates reside. The certificate files must be named aaa_key.pem, aaa_cert.pem and aaa_chain.pem 
respectively. 

#(config coreid realm_name) cookie {persistent {enable | disable} | verify-ip 
{enable | disable} 

Specifies whether to enable persistent or session cookies, and whether to verify the IP address of the 
cookie. 

#(config coreid realm_name) display-name display_name 

Equivalent to the display-name option in the CPL authenticate action. The default value for the display 
name is the realm name. The display name cannot be longer than 128 characters and it cannot be null. 

#(config coreid realm_name) encrypted-transport-pass-phrase encrypted_pass_phrase 
If Simple or Cert mode is used, the Transport encrypted passphrase configured in the Access System. 

#(config coreid realm_name) exit 

Exits the # (config coreid) edit mode and returns to # (config) mode. 

#(config coreid realm_name) inactivity -timeout seconds 

Specifies the amount of time a session can be inactive before being logged out. 

# (config coreid realm_name) log-out (challenge (enable | disable} | display-time 

seconds) 

Allows you to challenge the user after log out and define the log out page display time. 

# (config coreid realm_name) no alternate-agent | certificate-path 
Removes the alternate agent configuration or the certificate path. 

# (config coreid realm_name) primary-agent accessgate- id name 
The ID of the primary AccessGate agent. 

# (config coreid realm_name) primary-agent encrypted- secret 

encrypted_shared_secret 

The encrypted password associated with the primary AccessGate. (Passwords can be up to 64 characters 
long and are always case sensitive.) The primary use of the encrypted-secret command is to allow the SG 
appliance to reload a password that it encrypted. If you choose to use a third-party encryption 
application, be sure it supports RSA encryption, OAEP padding, and is Base64 encoded with no newline. 

# (config coreid realm_name) primary-agent host hostname 

The hostname or the IP address of the primary system that contains the agent. 

# (config coreid realm_name) primary-agent port port 
The port where the primary agent listens. 
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#(config) security 



#(config security coreid) 



#(config coreid realm_name) primary- agent secret shared_secret 

The password associated with the primary AccessGate. (Passwords can be up to 64 characters long and 
are always case sensitive.) 

#(config coreid realm_name) protected- resource -name resource_name 
The resource name defined in the Access System policy domain 

#(config coreid realm_name) ref resh- time {credential-refresh seconds \ 
rejected-credentials-ref resh seconds / surrogate-refresh seconds} 

Sets the refresh time for credential, rejected credentials cache, and surrogates. 

#(config coreid realm_name) rename new_realm_name 
Renames the realm to your request. 

#(config coreid realm_name) security-mode {cert | open | simple} 

The Security Transport Mode for the AccessGate to use when communicating with the Access System 

#(config coreid realm_name) ssl (disable | enable} 

Enable or disable SSL. 

#(config coreid realm_name) ssl-verify-agent (disable | enable} 

Enable or disable verification of BCAAA's certificate 

#(config coreid realm_name) timeout seconds 

The length of time to elapse before timeout if a response from BCAAA is not received. 

#(config coreid realm_name) transport-pass-phrase pass_phrase 

If Simple or Cert mode is used, the Transport passphrase configured in the Access System. 

#(config coreid realm_name) validate-client- IP (disable | enable} 

Enables validation of the client IP address in SSO cookies. If the client IP address in the SSO cookie can 
be valid yet different from the current request client IP address due to downstream proxies or other 
devices, then disable client IP address validation. The WebGates participating in SSO with the SG 
appliance should also be modified. The WebGateStatic.lst file should be modified to either set the 
ipvalidation parameter to false or to add the downstream proxy/device to the IPValidationExceptions 
lists. 

#(config coreid realm_name) view 
Views the realm configuration. 

#(config coreid realm_name) virtual -url uri 

The URL to redirect to when the user needs to be challenged for credentials. If the SG appliance is 
participating in SSO, the virtual hostname must be in the same cookie domain as the other servers 
participating in the SSO. It cannot be an IP address or the default. 

For More Information 

□ #(config security siteminder) on page 296 

□ Volume 4: Securing the Blue Coat SG Appliance 

Example 

SGOS# (config) security coreid edit-realm coreid_l 

SGOS# (config coreid coreid_l) access-server-hostname AccessServer_l 

SGOS# (config coreid coreid_l) cache-duration 800 

SGOS# (config coreid coreid_l) exit 
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#(config) security 



#(config security default-authenticate-mode) 



#(config security default-authenticate-mode) 

Synopsis 

Sets the default authenticate .mode to auto or to sg2. 

Syntax 

#(config) security default-authenticate-mode [auto | sg2] 



Subcommands 

#(config) security default-authenticate-mode auto 

Enables the access control list. 

#(config) security default-authenticate-mode sg2 

Disables the access control list. 

For More Information 

□ Volume 4: Securing the Blue Coat SG Appliance 

Example 

SGOS# (config) security default-authenticate-mode auto 
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#(config) security 



#(config security destroy-old-password) 



#(config security destroy-old-password) 

Synopsis 

Destroys recoverable passwords in configuration used by previous versions. 

Syntax 

#(config) security destroy-old-password [force] 

Subcommands 

#(config) security destroy-old-password 

Destroys passwords after prompting. 

#(config) security destroy-old-password force 
Destroys passwords without prompting. 



Note: Do not use this command if you infend fo downgrade, as fhe old passwords are desfroyed. 



For More Information 

□ Volume 4: Securing the Blue Coat SG Appliance 

Example 

#(config) destroy-old-password force 
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#(config) security 



#(config security enable-password and hashed-enable-password) 



#(config security enable-password and hashed-enable-password) 

Synopsis 

Sets the console enable password to the password specified. 

Syntax 

#(config) security enable -pas sword "password" 

#(config) security hashed-enable-password hashed_password 

Subcommands 

#(config) security enable-password "password" 

Note that the enable password must be in quotes. This is the password required to enter enable mode 
from the CLI when using console credentials, the serial console, or RSA SSH. 

#(config) security hashed-enable-password hashed_password 

The enable password in hashed format. You can either hash the password prior to entering it, or you can 
allow the SG appliance to hash the password. 

For More Information 

□ Volume 4: Securing the Blue Coat SG Appliance 



Example 

#(config) security enable -pas sword "test" 
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#(config) security 



#(config security enforce-aci) 



#(config security enforce-acI) 

Synopsis 

Enables or disables the console access control list (ACL). 

Syntax 

#(config) security enforce-aci [enable | disable] 



Subcommands 

#(config) security enforce-aci enable 
Enables the access control list. 

#(config) security enforce-aci disable 
Disables the access control list. 

For More Information 

□ #(config) alert on page 103 

Example 

#(config) security enforce-aci disable 
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#(config) security 



#(config security front-panel-pin and hashed-front-panel-pin) 



#(config security front-panel-pin and hashed-front-panel-pin) 



Synopsis 

Sets a four-digit PIN to restrict access to the front panel of fhe SG appliance. 

Syntax 

#(config) security front-panel-pin PIN 

Subcommands 

#(config) security front-panel-pin PIN 

Use of this command is recommended for security reasons. 



Note: To clear the PIN, specify 0000. 



For More Information 

□ Volume 4: Securing the Blue Coat SG Appliance 

Example 

#(config) security front-panel-pin 1234 
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#(config) security 



#(config security iwa) 



#(config security iwa) 

Integrated Windows Authentication (IWA) is an authentication mechanism available on Windows 
networks. (The name of the realm has been changed from NTLM fo IWA.) 

IWA is a Microsoff-propriefary aufhenticafion suife fhat allows Windows clienfs (rurming on 
Windows 2000 and higher) to automatically choose between using Kerberos and NTLM 
authentication challenge/ response, as appropriate. When an IWA realm is used and a resource is 
requested by the client from fhe SG appliance, fhe appliance confacfs fhe client's domain account to 
verify the client's identity and request an access token. The access token is generated by the domain 
controller (in case of NTLM aufhenficafion) or a Kerberos server (in fhe case of Kerberos 
aufhentication) and passed fo (and if valid, accepfed by) fhe SG appliance. 

Refer fo fhe Microsoff Web sife for defailed information abouf fhe IWA protocol. 

Synopsis 

Allows you fo creafe and manage IWA realms. 



Syntax 

#(config) security iwa [subcommands] 



Subcommands 

#(config) security iwa create-realm realm_name 
Creates the specified IWA realm. 

#(config) security iwa delete -realm realm_name 
Deletes the specified IWA realm. 

#(config) security iwa edit-realm realm_name 
Changes the prompt. See Submodes for details. 

#(config) security iwa view [realm_name] 

Displays the configuration of all IWA realms or just the configuration for realm_name if specified. 

Submodes 

#(config) security IWA edit-realm realm_name 
This changes fhe prompf fo: 

#(config IWA realm_name) 

Commands in this submode: 

#(config IWA realm_name) alternate-server host [port] 

Specifies the alternate server host and port. 

#(config IWA realm_name) cache-duration seconds 
Specifies the length of time to cache credentials for this realm. 

#(config IWA realm_name) cookie {persistent {enable | disable) | verify-ip {enable | 
disable } 

Specifies whether to enable persistent or session cookies, and whether to verify the IP address of the 
cookie. 

#(config IWA realm_name) credentials-basic {disable | enable} 

Disables/enables support for Basic credentials in this realm. At least one of Basic or NTLM/Kerberos 
credentials must be supported. 
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#(config) security 



#(config security iwa) 



#(config IWA realm_name) credentials-kerberos {disable | enable} 

Disables/enables support for Kerberos credentials in this realm. If Kerberos is enabled, NTLM must also 
be enabled. At least one of Basic or NTLM/Kerberos credentials must be supported. 

#(config IWA realm_name) credentials -ntlm (disable | enable) 

Disables/ enables support for NTLM credentials in this realm. If NTLM is enabled, Kerberos must also be 
enabled. At least one of Basic or NTLM/Kerberos credentials must be enabled. 

#(config IWA realm_name) display -name display_name 
Specifies the display name for this realm. 

#(config IWA realm_name) exit 

Exits the iwa edit mode and returns to (conf ig) mode. 

#(config IWA realm_name) inactivity-timeout seconds 

Specifies the amount of time a session can be inactive before being logged out. 

#(config IWA realm_name) log-out (challenge (enable | disable) | display-time 

seconds] 

Allows you to challenge the user after log out and define the log out page display time. 

#(config IWA realm_name) no alternate- server 
Clears the alternate-server. 

#(config IWA realm_name) primary- server host [port] 

Specifies the primary server host and port. 

#(config IWA realm_riame) refresh- time (credential-refresh seconds \ 
rejected-credentials-ref resh seconds \ surrogate-refresh seconds} 

Sets the refresh time for credential, rejected credentials cache time, and surrogates. 

#(config IWA realm_name) rename new_realm_name 
Renames this realm to new_realm_name. 

#(config IWA realm_name) spoof -authentication (none | origin | proxy) 

Enables/ disables the forwarding of authenticated credentials to the origin content server or for proxy 
authentication. Flush the entries for a realm if the spoof-authentication value is changed to ensure that 
the spoof-authentication value is immediately applied. 

You can only choose one. 

• If set to origin, the spoofed header is an Authorization: header. 

• If set to proxy, the spoofed header is a Proxy- Authorization: header. 

• If set to none, no Spoofing is done. 

#(config IWA realm_name) ssl (disable | enable) 

Disables/ enables SSL communication between the SG appliance and BCAAA. 

#(config IWA realm_name) ssl-verify-server (disable | enable) 

Specifies whether or not to verify the BCAAA certificate. 

#(config IWA realm_name) timeout seconds 
Specifies the IWA request timeout. 

#(config IWA realm_name) view 
Displays this realm's configuration. 

#(config IWA realm_name) virtual-url uri 

Specifies the virtual URL to use for this realm. If no URL is specified the global transparent proxy virtual 
URL is used. 

For More Information 

□ Volume 4: Securing the Blue Coat SG Appliance 
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#(config) security 



#(config security iwa) 



Example 

#(config) security IWA edit-realm testIWA 

#(config IWA testIWA) cache-duration 1500 
ok 

#(config IWA testIWA) no alternate server 
ok 

#(config IWA testIWA) exit 
# (conf ig) 
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#(config) security 



#(config security Idap) 



#(config security Idap) 

Blue Coat supports both LDAP v2 and LDAP v3, but recommends LDAP v3 because it uses Transport 
Layer Security (TLS) and SSL to provide a secure cormection between the SG appliance and the LDAP 
server. 

An LDAP directory, either version 2 or version 3, consists of a simple tree hierarchy. An LDAP 
directory might span multiple LDAP servers. In LDAP v3, servers can return referrals fo ofhers servers 
back to the client, allowing the client to follow fhose referrals if desired. 

Direcfory services simplify adminisfrafion; any additions or changes made once fo fhe informafion in 
fhe direcfory are immediafely available fo all users and direcfory -enabled applications, devices, and 
SG appliances. 

The SG appliance supports the use of exfemal LDAP dafabase servers fo aufhenficate and aufhorize 
users on a per-group or per-atfribufe basis. 

LDAP group-based aufhenfication for the SG appliance can be configured fo supporf any 
LDAP-compliant directory including: 

□ Microsoft Active Directory Server 

□ Novell NDS / eDirectory Server 

□ Netscape/Sun iPlanet Directory Server 

□ Other 

Synopsis 

Allows you to configure and manage LDAP realms. 



Syntax 

#(config) security Idap [subcommands] 



Subcommands 

#(config) security Idap create-realm realm_name 
Creates the specified LDAP realm 

#(config) security Idap delete-realm realm_name 
Deletes the specified LDAP realm. 

#(config) security Idap edit-realm realm_name 
Changes the prompt. See Submodes for details. 

#(config) security Idap view [realm_name] 

Displays the configuration of all LDAP realms or just the configuration for realm__name if specified. 

Submodes 

#(config) security Idap edit-realm realm_name 
This changes fhe prompf fo: 

#(config Idap realm_name) 

Commands in fhe Idap realm_name mode: 

#(config Idap realm_name) alternate-server host [port] 

Specifies the alternate server host and port. 

#(config Idap realm_name) case-sensitive {disable | enable} 

Specifies whether or not the LDAP server is case-sensitive. 
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#(config) security 



#(config security Idap) 



#(config Idap realm_name) cookie {persistent {enable | disable) | verify-ip {enable 
I disable} 

Specifies whether to enable persistent or session cookies, and whether to verify the IP address of the 
cookie. 

#(config Idap realm_name) default-group-name default_group_name 

If the validate-authorized-user command is disabled and a default-group-name is configured, 
the default-group-name is used as the group name for non-existent users. 

#(config Idap realm_name) display-name display_name 
Specifies the display name for this realm. 

#(config Idap realm_name) distinguished-name user-attribute-type 

user_attrihute_type 

Specifies the attribute type that defines the relative user name. 

#(config Idap realm_name) distinguished-name base-dn (add | demote | promote | 
remove) |base_dn | clear) 

Adds /demotes/ promotes/ removes a base DN from the base DN list, or clears the base DN list. 

#(config Idap realm_name) exit 

Exits the Idap edit mode and returns to #(config) mode. 

#(config Idap realm_name) inactivity -timeout seconds 

Specifies the amount of time a session can be inactive before being logged out. 

#(config Idap realm_name) log-out {challenge (enable | disable) | display-time 

seconds} 

Allows you to challenge the user after log out and define the log out page display time. 

#(config Idap realm_name) membership-attribute attribute_name 
Specifies the attribute that defines group membership. 

#(config Idap realm_name) membership -type (group | user) 

Specifies the membership type. Specify group if user memberships are specified in groups. Specify user 
if memberships are specified in users. 

#(config Idap realm_name) membership-username (full | relative) 

Specifies the username type to use during membership lookups. The full option specifies fhat the 
user's FQDN is used during membership lookups, and relative option specifies that the user's relative 
username is used during membership lookups. Only one can be selected at a time. 

# (conf ig Idap realm_name) nested-group-attribute attribute_name 

Specifies the attribute that defines nesfed group membership. For other, ad, and nds, the default 
attribute name is member. For iPlanet, the default attribute name is uniqueMember . 

#(config Idap realm_name) no alternate-server 
Clears the alternate-server or membership-attribute values. 

#(config Idap realm_name) no default -group -name 
Clears the default group name. 

#(config Idap realm_name) no membership-attribute 
Clears the membership-attribute values. 

#(config Idap realm_name) objectclass container (add | remove) 

{container_obj ectclass \ clear) 

Adds/ removes container objectclass values from the list (these values are used during VPM searches of 
the LDAP realm), or clears all values from the container objectclass list. 

#(config Idap realm_name) objectclass group (add | remove) {group_obj ectclass \ 

clear) 

Adds/removes group objectclass values from the list (these values are used during VPM searches of the 
LDAP realm), or clears all values from the group objectclass list. 
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#(config) security 



#(config security Idap) 



#(config Idap realm_name) objectclass user {add | remove} {user_objectclass \ 

clear} 

Adds/ removes user objectclass values from the list (these values are used during VPM searches of the 
LDAP realm), or clears all values from the user objectclass list. 

#(config Idap realm_name] primary- server host [port] 

Specifies the primary server host and port. 

#(config Idap realm_name) protocol-version (2 | 3} 

Specifies the LDAP version to use. SSL and referral processing are not available in LDAP v2. 

#(config Idap realm_name) referrals-follow (disable | enable} 

Disables /enables referral processing. This is available in LDAP v3 only. 

#(config Idap realm_name) ref resh- time {authorization-refresh seconds \ 
credential -ref resh seconds j rejected-credentials-refresh seconds | 
surrogate-refresh seconds} 

Sets the refresh fime for aufhorization, credential, rejected credentials cache, and surrogates. 

#(config Idap realm_name) rename new_realm_name 
Renames this realm to new_realm_name. 

#(config Idap realm_name) search anonymous {disable | enable} 

Disables/enables anonymous searches. 

#(config Idap realm_name) search dereference {always | finding | never | 
searching} 

Specifies the dereference level. Specify always to always dereference aliases. Specify finding to 
dereference aliases only while locating the base of fhe search. Specify searching to dereference aliases 
only after locating the base of the search. Specify never fo never dereference aliases. 

#(config Idap realm_name) search encrypted-password encrypted_password 
Specifies the password to bind with during searches in encrypted format. 

#(config Idap realm_name) search password password 
Specifies the password to bind with during searches. 

#(config Idap realm_name) search user-dn user_dn 
Specifies the user DN to bind with during searches. 

#(config Idap realm_name) server-type {ad | iplanet | nds | other} 

Specifies the LDAP server type for this realm. 

#(config Idap realm_name) spoof -authentication {none | origin | proxy} 

Enables/disables the forwarding of authenticated credentials to the origin content server or for proxy 
authentication. Flush the entries for a realm if fhe spoof-authentication value is changed to ensure that 
the spoof-authentication value is immediately applied. 

You can only choose one. 

• If set to origin, the spoofed header is an Authorization: header. 

• If set to proxy, the spoofed header is a Proxy- Authorization: header. 

• If set to none, no spoofing is done. 

#(config Idap realm_name) ssl {disable | enable} 

Disables/ enables SSL communication between the SG appliance and the LDAP server. This is only 
available in LDAP v3. 

#(config Idap realm_name) ssl-verify-server {disable | enable} 

Specifies whether or not to verify the LDAP server's certificate. 

#(config Idap realm_name) support-nested-groups {disable | enable} 

Enables or disables the nested group feature. 
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#(config) security 



#(config security Idap) 



#(config Idap realm_name) timeout seconds 
Specifies the LDAP server's timeout. 

#(config Idap realm_name) validate-authorized-user {enable | disable} 

When validate-authorized-user is enabled, an authorization (not authentication) request 
verifies that the user exists in the LDAP server. If the user does not exist, the authorization request fails 
(authentication requests always require the user to exist). 

When validate-authorized-user is disabled, no user existence check is made for an authorization 
request. If the user does not exist, the authorization request succeeds 

#(config Idap realm_name) view 
Displays this realm's configuration. 

#(config Idap realm_name) virtual-url uri 

Specifies the virtual URL to use for this realm. If no URL is specified the global transparent proxy virtual 
URL is used. 



For More Information 

□ Volume 4: Securing the Blue Coat SG Appliance 



Example 



# (conf ig) 
# (conf ig 
ok 

# (conf ig 
ok 

# (conf ig 



security Idap 

Idap testldap) 

Idap testldap) 
Idap testldap) 



edit-realm testldap 
server- type iplanet 

spoof -authentication origin 

exit 
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#(config) security 



#(config) security local 



#(config) security local 

Using a Local realm is appropriate when the network topography does not include external 
authentication or when you want to add users and administrators to be used by the SG appliance only. 

The Local realm (you can create up to 40) uses a Local User List, a collection of users and groups stored 
locally on the SG appliance. You can create up to 50 different Local User Lists. Multiple Local realms 
can reference fhe same lisf af fhe same fime, alfhough each realm can only reference one lisf af a time. 
The default list used by the realm can be changed at any time. 

Synopsis 

Allows you to configure and manage local realms. 

Syntax 

#(config) security local [subcommands] 



Subcommands 

#(config) security local create-realm realm_name 
Creates the specified local realm. 

#(config) security local delete-realm realm_name 
Deletes the specified local realm. 

#(config) security local edit-realm realm_name 
Changes the prompt. See Submodes for details. 

#(config) security local view [realm_name] 

Displays the configuration of all local realms or just the configuration for realm_name if specified. 

Submodes 

#(config) security local edit-realm realm_name 
This changes fhe prompf fo: 

#(config local realm_name) 

Commands found in fhis submode include: 

#(config local realm_name) cache-duration seconds 
Specifies the length of time to cache credentials for this realm. 

#(config local realm_name) cookie {persistent {enable | disable) | verify-ip 
{enable | disable} 

Specifies whether to enable persistent or session cookies, and whether to verify the IP address of the 
cookie. 

#(config local realm_name) default-group-name defauIt_group_name 

If the validate-authorized-user command is disabled and a default-group-name is configured, 
the default-group-name is used as the group name for non-existent users. 

#(config local realm_name) display-name display_name 
Specifies the display name for this realm. 

#(config local realm_name) exit 

Exits configure security local mode and returns to # (conf ig) mode. 

#(config local realm_name) refresh- time {authorization-refresh seconds \ 
surrogate-refresh seconds] 

Sets the refresh time for authorization and surrogates. 
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#(config) security 



#(config) security local 



#(config local realm_name) inactivity- timeout seconds 

Specifies the amount of time a session can be inactive before being logged out. 

#(config local realm_name) local-user-list local_user_Iist_name 
Specifies the local user list to for this realm. 

#(config local realm_name) no default-group-name 
Clears the default group name. 

#(config local realm_name) rename new_realm_name 
Renames this realm to new_realm_name 

#(config local realm_name) spoof -authentication {none | origin | proxy} 

Enables/disables the forwarding of authenticated credentials to the origin content server or for proxy 
authentication. You can only choose one. 

• If set to origin, the spoofed header is an Authorization: header. 

• If set to proxy, the spoofed header is a Proxy- Authorization: header. 

• If set to none, no Spoofing is done. 

Flush the entries for a realm if the spoof-authentication value is changed to ensure that the 
spoof-authentication value is immediately applied. 

#(config local realm_name) validate-authorized-user {disable | enable} 

When validate-authorized-user is enabled, an authorization (not authentication) request 
verifies that the user exists in the local user list. If the user does not exist in the Ust, the authorization 
request fails (authentication requests always require the user to exist). 

When validate-authorized-user is disabled, no user existence check is made for an authorization 
request. If the user does not exist, the authorization request succeeds. 

#(config local realm_name) view 
Displays this realm's configuration 

#(config local realm_name) virtual -url uri 

Specifies the virtual URL to use for this realm. If no URL is specified the global transparent proxy virtual 
URL is used. 



For More Information 

□ #(config security local-user-list) on page 281 

□ Volume 4: Securing the Blue Coat SG Appliance 



Example 



# (conf ig) 
# (conf ig 
ok 

# (conf ig 
ok 

# (conf ig 
# (conf ig) 



security local 

local testlocal 

local testlocal 
local testlocal 



edit-realm testlocal 
cache-duration 1500 

spoof -authentication proxy 

exit 
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#(config) security 



#(config security local-user-list) 



#(config security local-user-list) 

The local-user-list is only used in conjunction with local realms. 

Synopsis 

Manages the local-user-list used in local realms. 

Syntax 

#(config) security local-user-list [subcommands] 

Subcommands 

#(config) security local-user-list clear [force] 

Clears all local user lists. Lists referenced by local realms and the default local user list are recreated but 
empty. Specify force to clear realms without a prompt for confirmation. 

#(config) security local-user-list create local-user-list 
Creates the local user list with the name specified 

#(config) security local-user-list default append- to -default {disable | enable} 

Disables/enables appending uploaded users fo fhe default local user list. 

#(config) security local-user-list default list local_user_list 

Specifies the default local user list. The default list is populated during password file uploads. The 
default list is also the default list used by local realms when they are created 

#(config) security local-user-list delete local-user-list [force] 

Deletes the specified local user list. The default list and any lists used by local realms cannot be deleted. 
Specify force to delete the list without a prompt for confirmation. 

#(config) security local-user-list edit local -user-list 
Changes the prompt. See Submodes. 

Submodes 

#(config) security local-user-list edit local_user_list 
This changes the prompt to: 

#(config local-user-list local_user_list) 

Commands found in this submode include: 

#(config local-user-list local_user_list) disable-all 
Disables all user accounts in the specified list. 

#(config local-user-list local_user_list) enable-all 
Enables all user accounts in the specified list. 

#(config local-user-list local_user_list) exit 

Exits configure local-user-list mode and returns to configure mode. 

#(config local-user-list local_user_list) group clear 

Clears all groups from the list. The users remain but do not belong to any groups. 

#(config local -user- list local_user_list) group create group_name 
Creates the specified group in the local user list. 

#(config local-user-list local_user_list) group delete group_name [force] 

Deletes the specified group in the local user list. 

#(config local -user- list local_user_list) lockout-duration seconds 

The length of time a user account is locked out after too many failed password attempts. The default is 
3600 
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#(config) security 



#(config security local-user-list) 



#(config local-user-list local_user_list) max- failed-attempts attempts 

The number of failed attempts to login to an SG appliance before fhe user account is locked. The default 
is 60 attempts. 

#(config local-user-list local_user_list) no [lockout-duration | 
max- failed-attempts | reset-interval] 

Disables the settings for this user list. 

#(config local-user-list local_user_list) reset- interval seconds 

The length of seconds fo wait after the last failed attempt before reseffing the failed counter to zero. 

#(config local -user- list local_user_list) user clear 

Clears all users from the list. The groups remain but do not have any users. 

#(config local-user-list local_user_list) user create user_name 
Creates the specified user in the local user list. 

#(config local -user- list local_user_list) user delete user_name [force] 

Deletes the specified user in the local user list. 

#(config local -user- list local_user_list) user edit user_name 

changes the prompt to #(config local-user-list local_user_list user_name) 

Edits the specified user in the local user Ust. 

#(config local-user-list local_user_list user_name) {disable | enable} 

Disables / enables the user account. 



#(config local-user-list local_user_list user_name) exit 

Exits configure local-user-list user_list mode and returns to configure local-user-list mode. 



#(config local -user- list local_user_list user_name) group (add | remove} 
groupname 

Adds /removes the specified group from the user. 

#(config local-user-list local_user_list user_name) hashed-password 
hashed_pas sword 

Specifies the user's password in hashed format. 

#(config local-user-list local_user_list user_name) password password 
Specifies fhe user's password. 



#(config local-user-list local_user_list user_name) view 
Displays fhe user accoimt. 



#(config local-user-list local_user_list) view 
Displays all users and groups in the local user list. 



For More Information 

□ #(config) security local on page 279 

□ Volume 4: Securing the Blue Coat SG Appliance 



Example 

#(config) security local-user-list edit testlul 

#(config local-user-list testlul) user create testuser 
ok 

#(config local-user-list testlul) user edit testuser 
#(config local-user-list testlul testuser) enable 
ok 

#(config local-user-list testlul testuser) exit 
#(config local-user-list testlul) exit 
# (conf ig) 
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#(config) security 



#(config security management) 



#(config security management) 

Synopsis 

Manages the automatic logging out of a user and sets the name of realm in fhe managemenf console 
challenge. 

Syntax 

#(config) security management [subcommands] 



Subcommands 

#(config) security management auto- logout- timeout seconds 

Specifies the length of a management console session before the administrator is required to re-enter 
credentials. The default is 900 seconds (15 minutes). Acceptable values are between 3 0 0 and 864 0 0 
seconds (5 minutes to 24 hours). 

#(config) security management display-realm realm_name 

Specifies the realm to display in the management console challenge. The default value is the IP address 
of the SG appliance. 

#(config) security management no auto-logout-timeout 

Disables the automatic session logout. 

#(config) security management no display-realm 

Resets the display realm to be the IP address of the SG appliance. 

For More Information 

□ Volume 1: Getting started 

Example 

#(config) security management auto- logout- timeout seconds 
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#(config) security 



#(config security novell-sso) 



#(config security novell-sso) 

Synopsis 

Allows you to configure and manage Novell SSO realms. 

Syntax 

#(config) security novell-sso [subcommands] 

Subcommands 

#(config) security novell-sso create-realm realm_name 
Creates the specified Novell SSO realm. 

#(config) security novell-sso delete-realm realm_name 
Deletes the specified Novell SSO realm. 

#(config) security novell-sso edit-realm realm_name 
Changes the prompt. See Submodes for details. 

#(config) security novell-sso view [realm_name] 

Displays the configuration of all Novell SSO realms or just the configuration for realm_name if 
specified. 

Submodes 

#(config) security novell-sso edit-realm realm_name 
This changes fhe prompf fo: 

#(config novell-sso realm_name) 

Commands found in fhis submode include: 

SGOS# (config novell-sso realm_name) alternate-agent /host hostname | port 
port_number] 

Specifies the alternate agent hostname and port number. 

SGOS# (config novell-sso realm_namel authorization {realm-name 

authorization-realm-name / username username / no {authorization-realm-name / 
username} / selfj 

Specifies the realm name, which can be self, and username for authorization. No clears the realm and 
username. 

SGOS# (config novell-sso realm_name) cookie {persistent {disable | enable) | 
verify-ip {disable | enable)) 

Specifies whether to enable persistent or session cookies, and whether to verify the IP address of the 
cookie. 

SGOS# (config novell-sso realm_name) exit 
Leaves the novell-sso edit-realm mode. 

SGOS# (config novell-sso realm_name) full-search {day-of-week | time-of-day) 

Specifies the day of the week for full searches to occurs and the time of the day (UTC time) to search. 

SGOS# (config novell-sso realm_name) inactivity-timeout seconds 
Specifies the amount of time a session can be inactive before being logged out. 

SGOS# (config novell-sso realm_name) Idap monitor- server {add LDAP_host [LDAP_port]\ 
clear | remove LDAP_host [LDAP_port]\ 

Add an LDAP host to list of servers to be monitored, clear the list, or remove a specific LDAP host from 
the list of servers to be monitored. 



Volume 11: Command Line Interface Reference 



284 



#(config) security 



#(config security novell-sso) 



SGOS# (config novell-sso realm_name) Idap search-realm Idap_realfn 
Specifies the name of the realm to search and monitor. 

SGOS# (config novell-sso realm_nafne) Idap -name {login -time LDAP_name | network-address 
LDAP_name } 

Specifies the name of the LDAP server for Novell directory attributes. 

SGOS# (config novell-sso realm_name) no alternate-agent 
Removes the alternate agent. 

SGOS# (config novell-sso realm_name) primary-agent /host hostname | port port_number] 
Specifies the primary agent hostname and port number. 

SGOS# (config novell-sso realm_name) refresh- time {authorization-refresh seconds \ 
surrogate-refresh seconds} 

Sets the refresh time for authorization and surrogates. 

SGOS# (config novell - sso realm_name) rename new_realm_name 
Renames the current realm to new_realm_name . 

SGOS# (config novell-sso realm_name) ssl {enable | disable} 

Enables or disables SSL between the SG appliance and the BCAAA service. 

SGOS# (config novell-sso realm_name) ssl-verify-agent {enable | disable) 

Enables or disables verification of fhe BCAAA certificate. By default, if SSL is enabled, fhe Novell SSO 
BCAAA certificate is verified. 

SGOS# (config novell-sso realm_name) timeout seconds 

The time allotted for each request attempt. The default is 60 seconds. 

SGOS# (config novell-sso realm_name) view 
Displays this realm's configuration. 

SGOS# (config novell-sso realm_name) virtual -url url 

Specifies the virtual URL to use for this realm. If no URL is specified the global transparent proxy virtual 
URL is used. 
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#(config) security 



#(config) security password and hashed_password 



#(config) security password and hashed_password 

Synopsis 

Sets the console password to the password specified. 

Syntax 

#(config) security password "password" 

#(config) security password hashed-password hashed_password 

Subcommands 

#(config) security password "password" 

Note that the password must be in quotes. This is the password required to enter enable mode from the 
CLI when using console credentials, the serial console, or RSA SSH. 

#(config) security hashed-password hashed_pas sword 

The password in hashed format. You can either hash the password prior to entering it, or you can allow 
the SG appliance to hash the password. 

For More Information 

□ Volume 4: Securing the Blue Coat SG Appliance 

Example 

#(config) security password "good2test" 
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#(config) security 



#(config) security password-display 



#(config) security password -display 

Synopsis 

Sets various display settings. 

Syntax 

#(config) security password-display [subcommands] 



Subcommands 

#(config) security password-display {encrypted | none} 

Specifies the format to display passwords in show conf ig output. Specify encrypted to display 
encrypted passwords. Specify none to display no passwords. 

#(config) security password-display keyring 

Specifies the keyring to use for password encryption. 

#(config) security password-display view 
Displays the current password display settings. 

For More Information 

□ Volume 4: Securing the Blue Coat SG Appliance 

Example 

#(config) security password-display view 

Password display mode: Encrypted 

Password encryption keyring: conf iguration-passwords-key 
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#(config) security 



#(config security policy-substitution) 



#(config security policy-substitution) 

A Policy Substitution realm provides a mechanism for identifying and aufhorizing users based on 
information in fhe requesf fo fhe SG appliance. The realm uses information in fhe requesf and abouf 
fhe clienf fo idenfify fhe user. The realm is configured fo consfrucf user idenfify informafion by using 
policy subsfifufions. 

The Policy Subsfifufion realm is used f5rpically for besf-efforf user discovery, mainly for logging and 
subsequenf reporfing purposes, wifhouf fhe need fo aufhenficafe fhe user. Be aware fhaf if you use 
Policy Subsfifufion realms fo provide granular policy on a user, if mighf nof be very secure because fhe 
informafion used fo idenfify fhe user can be forged. 



Synopsis 

Allows you fo creafe and manage policy -subsfifufion realms. 



Syntax 

#(config) security polity-substitution [subcommands] 



Subcommands 



#(config) security polity-substitution create-realm realm_name 
Creates the specified policy-substitution realm 

#(config) security polity-substitution delete-realm realm_name 
Deletes the specified policy-substitution realm. 

#(config) security polity-substitution edit-realm realm_name 
Changes the prompt. See Submodes for details. 



#(config) security polity-substitution view [realm_name] 

Displays the configuration of all policy-substitution realms or just the configuration for realm__name if 
specified. 



Submodes 

#(config) security policy-substitution edit-realm realm_name 
This changes fhe prompf fo: 

#(config policy- substitution realm_name) 

Commands found in fhis submode include: 

#(config policy- substitution realm_name) authorization-realm-name realm_name 

This option is only required if you are associating an authorization realm with the Policy Substitution 
realm. 

#(config policy- substitution realm_nan!e) cookie {persistent {disable | enable)] 
verify-ip {disable j enable)) 

Specifies whether to enable persistent or session cookies, and whether to verify the IP address of the 
cookie. 

#(config policy- substitution realm_nafne) exit 
Leaves the wmdows-sso edit-realm mode. 

#(config policy- substitution realm_name) full-username construction_rule 

The full username as created through policy substitutions. The construction rule is made up any of the 
substitutions whose values are available at client logon, listed in Appendix D, "CPL Substitutions," in 
Volume 10: Content Policy Language Guide. 
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#(config) security 



#(config security policy-substitution) 



Note: The username and full username attributes are character strings that contain policy 

substitutions. When authentication is required for the transaction, these character strings are 
processed by the policy substitution mechanism, using the current transaction as input. The 
resulting string is stored in the user object in the transaction, and becomes the user's identity. 



To create full usernames for various uses in Policy Substitution realms, refer to Volume 10: 
Content Policy Language Guide. 

#(config policy- substitution realm_name) inactivity -timeout seconds 
Specifies the amount of time a session can be inactive before being logged out. 

#(config policy- substitution realm_name) no authorization-realm-name 
Clears the authorization realm name. 

#(config policy- substitution realm_nafne) refresh- time {authorization-refresh 
seconds \ surrogate-refresh seconds} 

Sets the refresh time for authorization and surrogates. 

#(config policy- substitution realm_name) rename new_realfn_name 
Renames this realm to new_realm_name. 

#(config policy- substitution realm_name) username construction_rule 

The username as created through policy substitutions. Note that the username is only required if you are 
using an authorization realm. The construction rule is made up any of the policy substitutions whose 
values are available at client logon, listed in Appendix D, "CPL Substitutions," in Volume 10: Content 
Policy Language Guide. 



Note: The username and full username attributes are character strings that contain policy 

substitutions. When authentication is required for the transaction, these character strings are 
processed by the policy substitution mechanism, using the current transaction as input. The 
resulting string is stored in the user object in the transaction, and becomes the user's identity. 



To create usernames for the various uses of Policy Substitution realms, refer to Volume 10: 
Content Policy Language Guide 

#(config policy- substitution realm_name) view 
Displays this realm's configuration. 

#(config policy- substitution realm_name) virtual-url uri 

Specifies the virtual URL to use for this realm. If no URL is specified the global transparent proxy virtual URL 
is used. 

For More Information 

□ Volume 8: Access Logging 

□ Volume 10: Content Policy Language Guide 

Example 

#(config) security policy-substitution edit-realm PSl 

#(config policy- substitution PSl) authorization- realm-name LDAPl 
#(config policy- substitution PSl) username $ (netbios .messenger-username) 

#(config policy- substitution PSl) full -username 

cn=$ (netbios . messenger -username) , cn=users , dc=$ (netbios . computer -domain) , 
dc= company , dc= com 
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#(config) security 



#(config security radius) 



#(config security radius) 

RADIUS is often the protocol of choice for ISPs or enterprises with very large numbers of users. 
RADIUS is designed to handle these large numbers through centralized user administration that eases 
the repetitive tasks of adding and deleting users and their authentication information. RADIUS also 
inherently provides some protection against sniffing. 

Some RADIUS servers support one-time passwords. One-time passwords are passwords that become 
invalid as soon as they are used. The passwords are often generated by a token or program, although 
pre-printed lists are also used. Using one-time passwords ensures that the password carmot be used in 
a replay attack. 

The SG appliance's one-time password support works with products such as Secure Computing 
Safe Word S5mchronous and as5mchronous tokens and RSA SecurlD tokens. 

The SG appliance supports RADIUS servers that use challenge/ response as part of the authentication 
process. Safe Word asynchronous tokens use challenge/ response to provide authentication. SecurlD 
tokens use challenge/ response to initialize or change PINs. 

Synopsis 

Allows you to create and manage RADIUS realms. 

Syntax 

#(config) security radius [subcommands] 



Subcommands 

#(config) security radius create-realm realm_name 
Creates the specified RADIUS realm 

#(config) security radius delete-realm realm_name 
Deletes the specified RADIUS realm. 

#(config) security radius edit-realm realm_name 
Changes the prompt. See Submodes for details. 

#(config) security radius view [realm_name] 

Displays the configuration of all RADIUS realms or just the configuration for realm_name if specified. 

Submodes 

#(config) security radius edit-realm realm_name 
This changes the prompt to: 

#(config radius realm_name) 

Commands found in this submode include: 

#(config radius realm_name) alternate- server encrypted- secret encr3/pted_secret 
Specifies the alternate server secret in encrypted format. Note that you must create the encrypted secret 
before executing the host [port] command. 

#(config radius realm_name) alternate- server host [port] 

Specifies the alternate server host and port. 

#(config radius realm_name) alternate- server secret secret 

Specifies the alternate server secret. Note that you must create the secret before executing the host 
[port] command 

#(config radius realm_name) case-sensitive {disable | enable} 

Specifies whether or not the RADIUS server is case-sensitive. 
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#(config) security 



#(config security radius) 



#(config radius realm_name) cookie {persistent {enable | disable) | verify-ip 
{enable | disable} 

Specifies whether to enable persistent or session cookies, and whether to verify the IP address of the 
cookie. 

#(config radius realm_name) display-name display_name 
Specifies the display name for this realm. 

#(config radius realm_name) exit 

Exits configure radius-realm mode and returns to configure mode. 

#(config radius realm_name) inactivity -timeout seconds 

Specifies the amount of time a session can be inactive before being logged out. 

#(config radius realm_name) log-out (challenge (enable | disable} | display-time 

seconds] 

Allows you to challenge the user after log out and define the log out page display time. 

#(config radius realm_name) no alternate-server 
Clears the alternate-server. 

#(config radius realm_name) one-time-passwords (enable | disable} 

Allows you to use one-time passwords for authentication. The default is disabled. 

#(config radius realm_name) primary- server encrypted- secret encrypted_secret 
Specifies the primary server secret in encrypted format. 

#(config radius realm_name) primary- server host [port] 

Specifies the primary server host and port. 

#(config radius realm_name) primary- server secret secret 
Specifies the primary server secret. 

#(config radius realfn_nan!e) ref resh- time {credential-refresh seconds \ 
rejected-credentials-ref resh seconds / surrogate-refresh seconds] 

Sets the refresh time for credential, rejected credentials cache, and surrogates. 

#(config radius realm_name) rename new_realm_name 
Renames this realm to new_realm_name. 

#(config radius realm_name) server-retry count 

Specifies the number of authentication retry attempts. This is the number of attempts permitted before 
marking a server offline. The client maintains an average response time from the server; the retry interval 
is initially twice the average. If that retry packet fails, then the next packet waits twice as long again. This 
increases until it reaches the timeout value. The default number of retries is 10. 

#(config radius realm_name) spoof -authentication (none | origin | proxy} 

Enables/ disables the forwarding of authenticated credentials to the origin content server or for proxy 
authentication. You can only choose one. 

• If set to origin, the Spoofed header is an Authorization: header. 

• If set to proxy, the spoofed header is a Proxy- Authorization: header. 

• If set to none, no spoofing is done. 

Flush the entries for a realm if fhe spoof-aufhenficafion value is changed fo ensure fhaf fhe 
spoof-aufhenficafion value is immediafely applied. 

#(config radius realm_name) timeout seconds 

Specifies the RADIUS request timeout. This is the number of seconds the SG appliance allows for each 
request attempt before giving up on a server and trying another server. Within a timeout multiple 
packets can be sent to the server, in case the network is busy and packets are lost. The default request 
timeout is 10 seconds. 

#(config radius realm_name) server-charset charset 

Allows you to select the character set you need. A character set is a MIME charset name. Any of the 
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#(config) security 



#(config security radius) 



standard charset names for encodings commonly supported by Web browsers can be used. The default is 
Unicode:UTF8. 

One list of standard charset names is found at 
http: / / www.iana.org/ assignments / character-sets. 

#(config radius realm_name) view 
Displays this realm's configuration. 

#(config radius realm_name) virtual-url url 

Specifies the virtual URL to use for this realm. If no URL is specified the global transparent proxy virtual 
URL is used. 



For More Information 

□ Volume 4: Securing the Blue Coat SG Appliance 



Example 



# (conf ig) 
# (conf ig 
ok 

# (conf ig 
ok 

# (conf ig 



security radius edit-realm testradius 

radius testradius) server-retry 8 

radius testradius) spoof -authentication proxy 

radius testradius) exit 
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#(config) security 



#(config security request-storage) 



#(config security request-storage) 

When a request requiring the user to be challenged with a form contains a body, the request is stored 
on the SG appliance while the user is being authenticated. Storage options include: 

□ the maximum request size. 

□ the expiration of fhe requesf. 

□ whefher fo verify fhe IP address of fhe clienf requesting againsf fhe original requesf. 

□ whefher fo allow redirecfs from fhe origin server 

The sforage opfions are global, applying fo all form excepfions you use. 

The global allow redirecfs configurafion option can be overridden on a finer granularify in policy 
using fhe authenticate . redirect_stored_requests (yes | no) action. 

Synopsis 

Used wifh aufhenficafion forms fo store requesfs. 

Syntax 

#(config) security request-management [subcommands] 



Subcommands 

#(config) security request-management allow-redirects {disable | enable} 

Specifies whether to allow redirects. The default is disable. 

#(config) security request-management expiry-time seconds 

Sets the amount of time before the stored request expires. The default is 3 0 0 seconds (five minutes). 

#(config) security request-management max-size megabytes 

Sets the maximum POST request size during authentication. The default is 5 0 megabytes. 

#(config) security request-management verify-ip (disable | enable} 

Enables or disables the verify-ip option. The default is to enable the SG appliance to verify the IP address 
against the original request. 



For More Information 

□ #(config security authentication- forms) on page 260 

□ Volume 4: Securing the Blue Coat SG Appliance 



Example 



# (conf ig) 
# (conf ig) 
# (conf ig) 
# (conf ig) 



security 

security 

security 

security 



request- storage max-size megabytes 
request- storage expiry- time seconds 
request- storage verify-ip enable | disable 
request- storage allow-redirects enable | disable 
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#(config) security 



#(config security sequence) 



#(config security sequence) 

Once a realm is configured, you can associate it with other realms to allow Blue Coat to search for the 
proper authentication credentials for a specific user. That is, if the credentials are not acceptable to the 
first realm, they are sent to the second, and so on until a match is found or all the realms are exhausted. 
This is called sequencing. 

Synopsis 

Allows you to create and manage sequence realms. 

Syntax 

#(config) security sequence [subcommands] 

Subcommands 

#(config) security sequence create-realm realm_name 
Creates the specified sequence realm 

#(config) security sequence delete-realm realm_name 
Deletes the specified sequence realm. 

#(config) security sequence edit-realm realm_name 
Changes the prompt. See Submodes for details. 

#(config) security sequence view [realm_name] 

Displays the configuration of all sequence realms or just the configuration for realm_name if specified. 

#(config) security sequence edit-realm realm_sequence_name 

This changes the prompt to: 

#(config sequence realm_sequence_name) 



Submodes 

Commands available in this submode include: 

#(config sequence realm_sequence_name) display-name display_name 
Specifies the display name for this realm. 

#(config sequence realm_sequence_name) exit 

Exits configure sequence-realm mode and returns to configure mode. 

#(config sequence realm_sequence_name) IWA-only-once {disable | enable} 

Specifies whether or not to challenge for credentials for the IWA realm one or multiple times. 

#(config sequence realm_sequence_name) realm (add | demote | promote | remove} 
[realm_name \ clear} 

Adds /demotes /promotes/ removes a realm from the realm sequence, or clears all realms from the realm 
sequence. 

#(config sequence realm_sequence_name) rename new_realm_name 
Renames this realm to new_realm_sequence_name. 

#(config sequence realm_seguence_name) try-next-realm-on-error {disable | enable) 
Use this command to specify that the next realm on the list should be attempted if 
authentication in the previous realm has failed with a permitted error. The default value is to 
not attempt the next realm and fall out of the sequence. 

#(config sequence realm_sequence_name) view 
Displays this realm's configuration. 



Volume 11: Command Line Interface Reference 



294 



#(config) security 



#(config security sequence) 



#(config sequence realm_sequen.ce_na.me) virtual -url uri 

Specifies the virtual URL to use for this realm sequence. If no URL is specified the global transparent 
proxy virtual URL is used. 

For More Information 

□ Volume 4: Securing the Blue Coat SG Appliance 



Example 



# (conf ig) 
# (conf ig 
ok 

# (conf ig 
ok 

# (conf ig 



security sequence edit-realm testsequence 

sequence testsequence) IWA-only-once disable 



sequence testsequence) realm clear 
sequence testsequence) exit 
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#(config) security 



#(config security siteminder) 



#(config security siteminder) 

Within the SiteMinder system, BCAAA acts as a custom Web agent. It communicates with the 
SiteMinder policy server to authenticate the user and to obtain a SiteMinder session token, response 
attribute information, and group membership information. 

Custom header and cookie response attributes associated with OnAuthAccept and OnAccessAccept 
attributes are obtained from the policy server and forwarded to the SG appliance. They can (as an 
option) be included in requests forwarded by the appliance. 

Within the SG system, BCAAA acts as its agent to communicate with the SiteMinder server. The SG 
appliance provides the user information to be validated to BCAAA, and receives the session token and 
other information from BCAAA. 

Each SG SiteMinder realm used causes fhe creafion of a BCAAA process on the Windows host 
computer running BCAAA. A single host computer can support multiple SG realms (from the same or 
different SG appliances); the number depends on the capacity of the BCAAA host computer and the 
amount of activity in the realms. 



Note: Each (active) SiteMinder realm on the SG appliance should reference a differenf agenf on fhe 

Policy Server. 



Configuration of fhe SG's realm musf be coordinafed wifh configuration of the SiteMinder policy 
server. Each must be configured fo be aware of the other. In addition, certain SiteMinder responses 
must be configured so fhaf BCAAA gets the information the SG appliance needs. 

Synopsis 

Allows you to create and manage SiteMinder realms. 

Syntax 

#(config) security siteminder [subcommands] 

Subcommands 

#(config) security siteminder create-realm realm_name 
Creates the specified SiteMinder realm 

#(config) security siteminder delete-realm realm_name 
Deletes the specified SiteMinder realm. 

#(config) security siteminder edit-realm realm_name 
Changes the prompt. See Submodes for details. 

#(config) security siteminder view [realm_name] 

Displays the configuration of all SiteMinder realms or just the configuration for realm__name if 
specified. 
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#(config) security 



#(config security siteminder) 



Submodes 

#(config) security siteminder edit-realm realm_name 
This changes the prompt to: 

#(config siteminder realm_name) 

Commands in this submode include: 

#(config siteminder realm_name) add-header-responses {enable | disable} 

Enable if your Web applications need information from the SiteMinder policy server responses. 

#(config siteminder realm_name) alternate-agent agent_name 
Specifies the alternate agent. 

#(config siteminder realm_name) alternate-agent encrypted-secret 

encrypted- shared- secret 

Specifies the alternate agent secret in encrypted format. 

#(config siteminder realm_name) alternate-agent host 

The host ID or the IP address of the system that contains the alternate agent. 

#(config siteminder realm_name) alternate-agent port 
The port where the agent listens. 

#(config siteminder realm_name) alternate-agent shared-secret secret 
Specifies the alternate agent secret. 

#(config siteminder realm_name) alternate-agent always-redirect-offbox 
Enables or disables SSO. 

#(config siteminder always-redirect-offbox (enable | disable} 

The SG appliance realm can be configured to redirect to an off -box aufhenficafion service 
always. The URL of fhe service is configured in fhe scheme definifion on fhe SifeMinder policy 
server. The SG realm is fhen configured wifh always-redirect-offbox enabled. 

#(config siteminder realm_name) case-sensitive (enable | disable} 

Specifies whether the SiteMinder server is case-sensitive. 

#(config siteminder realm_name) cookie (persistent (enable | disable} | verify-ip 
(enable | disable} 

Specifies whether to enable persistent or session cookies, and whether to verify the IP address of the 
cookie. 

#(config siteminder realm_name) display-name display_name 
Specifies the display name for this realm. 

#(config siteminder realm_name) exit 

Exits configure siteminder-realm mode and returns to configure mode. 

#(config siteminder realm_name) inactivity-timeout seconds 
Specifies the amount of time a session can be inactive before being logged out. 

#(config siteminder realm_name) log-out (challenge (enable | disable} | 
display- time seconds} 

Allows you to challenge the user after log out and define the log out page display time. 

#(config siteminder realm_name) no alternate-agent 
Clears the alternate agent configuration. 

#(config siteminder realm_name) primary-agent agent_name 
Specifies the primary agent. 

#(config siteminder realm_name) primary-agent encrypted-secret 

encrypted- shared- secret 

Specifies the primary agent secret in encrypted format. 
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#(config) security 



#(config security siteminder) 



#(config siteminder realm_name) primary- agent host 

The host ID or the IP address of the system that contains the primary agent. 

#(config siteminder realm_name) primary- agent port 
The port where the agent listens. 

#(config siteminder realm_name) primary-agent shared- secret secret 
Specifies the primary agent secret. 

#(config siteminder realm_name) primary-agent always-redirect-of fbox 
Enables or disables the SSO-Only mode. 

#(config siteminder realm_name) protected- resource -name resource -name 

The protected resource name is the same as the resource name on the SiteMinder server that has rules 
and policy defined for it. 

#(config siteminder realm_name) refresh- time {credential-refresh seconds \ 
rejected-credentials-ref resh seconds / surrogate-refresh seconds} 

Sets the refresh time for credential, rejected credentials cache, and surrogates. 

#(config siteminder realm_name) rename new_realm_name 
Renames this realm to new_realm_name . 

#(config siteminder realm_name) server-mode (failover | round-robin} 

Behavior of fhe server. Failover mode falls back to one of fhe other servers if the primary one is down. 
Round-robin modes specifies that all of the servers should be used together in a roimd-robin approach. 
Failover is the default 

#(config siteminder realm_name) siteminder-server create servername 
Creates a SiteMinder server. 

#(config siteminder realm_name) siteminder-server delete servername 
Deletes a SiteMinder server. 

#(config siteminder realm_name) siteminder-server edit servername 
This changes the prompt to #(config siteminder realm_name server_name) . 

#(config siteminder realm_name server_name) accounting-port port_numher 

The default is 44441. The ports should be the same as the ports configured on the SiteMinder policy 
server. The valid port range is 1-65535. 

#(config siteminder realm_name server_name) authentication-port port_number 

The default is 44442. The ports should be the same as the ports configured on the SiteMinder server. The 
valid port range is 1-65535. 

#(config siteminder realm_name server_name) authorization-port port_numher 

The default is 44443. The ports should be the same as the ports configured on the SiteMinder server. The 
valid port range is 1-65535. 

#(config siteminder realm_name server_name) connection- increment number 

The default is 1. The cormection increment specifies how many connections to open at a time if more are 
needed and fhe maximum is not exceeded. 

#(config siteminder realm_name server_name) exit 

Leaves the server_name prompt and returns to the SiteMinder realm_name prompt. 

#(config siteminder realm_name server_name) ip-address ipaddress 
The IP address of the SiteMinder server. 

#(config siteminder realm_name server_name) max- connections number 
The default is 256. The maximum number of connections is 32768. 

#(config siteminder realm_name server_name) min- connections number 
The default is 1. 

#(config siteminder realm_name server_name) timeout seconds 
The default is 60. 
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#(config) security 



#(config security siteminder) 



#(config siteminder realm_name server_name) view 
Displays the server's configuration. 

#(config siteminder realm_name) ssl {enable | disable} 

Disables/ enables SSL communication between the SG appliance and BCAAA. 

#(config siteminder realm_name) ssl-verify-agent (enable | disable} 

Specifies whefher to verify the BCAAA certificate. 

#(config siteminder realm_name) timeout seconds 

#(config siteminder realm_name) validate-client-ip (disable | enable} 

Enables validation of the client IP address. If the client IP address in the SSO cookie might be valid yet 
different from the current request client IP address, due to downstream proxies or other devices, disable 
client IP validation. The SiteMinder agents participating in SSO with the SG appliance should also be 
modified. The TransientIPCheck variable should be set to yes to enable IP validation and no to disable 
it. 

Enable is the default. 

#(config siteminder realm_name) view 
Displays this realm's configuration. 

#(config siteminder realm_name) virtual -url uri 

Specifies the virtual URL to use for this SiteMinder realm. If no URL is specified the global transparent 
proxy virtual URL is used. 

For More Information 

□ #(config security coreid) on page 264 

□ Volume 4: Securing the Blue Coat SG Appliance 

Example 

#(config) security siteminder edit-realm test2 

#(config siteminder test2) server-mode round-robin 
ok 

#(config siteminder test2) ssl enable 
ok 

#(config siteminder test2) exit 
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#(config) security 



#(config) security transparent-proxy-auth 



#(config) security transparent-proxy-auth 

Synopsis 

Configures authentication method for transparent proxies 

Syntax 

#(config) security transparent-proxy-auth [subcommands] 

Subcommands 

#(config) security transparent-proxy-auth method {ip | cookie} 

Specifies whether to use IP or cookie surrogate credentials. 

For More Information 

□ Volume 1: Getting started 

Example 

#(config) security transparent-proxy-auth method cookie 
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#(config) security 



#(config) security users 



#(config) security users 

Synopsis 

Allows administrators to manage user log ins, logouts and refresh data. 

Syntax 

#(config) security users 
This changes the prompt to: 

#(config users) [subcommands] 

Subcommands 

#(config users) authorization-refresh {ip-addresses prefix[realm_name] \ realms 
[realm_name] | users glob_user_name [realm_name]| 

Refreshes authorization data for the specified IP address, realm (or all realms), or user. 

The IP address subnet notation is based on Classless Inter-Domam_Routing (CIDR): 

• 1.2.3.4 : the IP address 1.2.3.4 

• 1.2.3.0/24: the subnet 1.2.3. 0 with netmask 255.255.255.0 

The username pattern is a glob-based pattern, supporting three operators: 

• : match zero or more characters 

• '?' : match exactly one character 

• [x-y]': match any character in the character range from 'x' to 'y' 

#(config users) credentials-refresh |ip-addresses prefix lrealm_name] \ realms 
[realm_name] \ users glob_user_name [realm_name]} 

Refreshes credential data for the specified IP address, realm (or all realms), or user. 

#(config users) log-out |ip-addresses prefix [realm_name] \ realms [realm_name] | 
users glob_user_name [realm_name]] 

Logs out the specified IP address, realm (or all realms), or user. 

#(config users) surrogates-refresh (ip-addresses prefix[realm_name] \ realms 
[realm_name] \ users glob_user_name [realm_name]| 

Refreshes surrogate data for the specified IP address, realm (or all realms), or user. 

#(config users) viewdetailed (ip-addresses prefix[realm_name] \ realms 
[realm_name] \ users glob_user_name [realm_name]] 

See a detailed view of users, sorted by IP address, realm, or username. 

#(config users) view ip-addresses prefix[realm_name] \ realms [realm_name] | users 
glob_user_name [realm_name]] 

See all logged-in users sorted by IP address, realm, or username. 

For More Information 

□ Volume 4: Securing the Blue Coat SG Appliance 

Example 

#(config) security users 

#(config users) surrogates-refresh ip-addresses 10.25.36.0/24 
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#(config) security 



#(config) security username 



#(config) security username 

Synopsis 

Sets the console username. 

Syntax 

#(config) security username name 



For More Information 

□ Volume 4: Securing the Blue Coat SG Appliance 

Example 

#(config) security username QATest 
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#(config) security 



#(config windows-sso) 



#(config windows-sso) 

In a Windows SSO realm, the client is never challenged for authentication. Instead, the BCAAA agent 
collects information about the current logged on user from fhe domain confroller and/ or by querying 
the client machine. Then the IP address of an incoming client request is mapped to a user identity in 
the domain. If aufhorizafion informafion is also needed, fhen anofher realm (LDAP or local) musf be 
creafed. 

Synopsis 

Allows you fo creafe and manage Windows SSO realms. 

Syntax 

#(config) security windows-sso [subcommands] 



Subcommands 

#(config) security windows-sso create-realm realm_name 
Creates the specified Windows SSO realm. 

#(config) security windows-sso edit-realm realm_name 

Changes the prompt to allow configuration for the specified realm_name. 

SGOS# (config windows-sso realm_name) alternate-agent {host hostname | port 
port_number] 

Specifies the alternate agent hostname and port number. 

SGOS# (config windows-sso realm_namel authorization {realm-name 
authorization-realm-name j username username / no 
{ authorization- realm-name / username} / self} 

Specifies the realm name, which can be self, and username for authorization. No clears the realm 
and username. 

SGOS# (config windows-sso realm_name) cookie {persistent {disable | enable) | 
verify-ip {disable | enable)) 

Specifies whether to enable persistent or session cookies, and whether to verify the IP address of the 
cookie. 

SGOS# (config windows-sso realm_name) exit 
Leaves the windows-sso edit-realm mode. 

SGOS# (config windows- sso realm_name) inactivity- timeout seconds 
Specifies the amount of time a session can be inactive before being logged out. 

SGOS# (config windows- sso realm_name) no alternate-agent 
Removes the alternate agent. 

SGOS# (config windows- sso realm_name) primary-agent /host hostname | port 
port_numberj 

Specifies the primary agent hostname and port number. 

SGOS# (config windows-sso realm_name) refresh- time {authorization-refresh 
seconds \ surrogate-refresh seconds} 

Sets the refresh time for authorization and surrogates. 

SGOS# (config windows-sso realm_name) rename new_realm_name 
Renames the current realm to new_realm_name . 

SGOS# (config windows-sso realm_name) ssl {enable | disable) 

Enables or disables SSL between the SG appliance and the BCAAA service. 
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#(config) security 



#(config windows-sso) 



SGOS# (config windows-sso realm_nan!e) ssl-verify-agent {enable | disable) 

Enables or disables verification of the BCAAA certificate. By default, if SSL is enabled, the Windows 
SSO BCAAA certificate is verified. 

SGOS# (config windows-sso realm_nafne) sso-type {query-client | query-dc | 
query-dc- client) 

Selects the method of querying: client, domain controller, or both. The default is domain controller. 

SGOS# (config windows-sso realm_name) timeout seconds 

The time allotted for each request attempt. The default is 60 seconds. 

SGOS# (config windows-sso realm_name) view 
Displays this realm's configuration. 

SGOS# (config windows-sso realm_name) virtual-url uri 

Specifies the virtual URL to use for this SiteMinder realm. If no URL is specified the global 
transparent proxy virtual URL is used. 

# (config) security windows-sso delete-realm realm_name 
Deletes the specified Windows SSO realm. 

# (config) security windows-sso view [realm_name] 

Displays the configuration of all Windows SSO realms or just the configuration for realm_name if 
specified. 



For More Information 

□ Volume 4: Securing the Blue Coat SG Appliance 

Example 

SGOS# (config) security windows-sso edit-realm test2 

SGOS# (config windows-sso test2) ssotype query-client-dc 
ok 

SGOS# (config windows-sso test2) exit 
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#(config) security 



#(config security xml) 



#(config security xml) 

An XML realm uses XML messages to request authentication and authorization information from an 
HTTP XML service (fhe XML responder fhaf runs on an exfernal server). The XML realm (fhe XML 
requestor) supporfs bofh HTTP GET and HTTP POST mefhods fo requesf an XML response. The XML 
messages are based on SOAP 1.2. 

The XML responder service accepfs XML requests from fhe SG appliance, communicafes wifh an 
aufhenficafion or aufhorizafion server, and responds wifh fhe resulf. When fhe realm is used fo 
aufhenficafe users, if challenges for Basic credenfials. The username and password are fhen senf fo fhe 
XML responder fo aufhenficafe and aufhorize fhe user. 

The XML realm can place fhe username and password in fhe HTTP headers of fhe requesf or in fhe 
body of fhe XML POST requesf. If fhe credenfials are placed in fhe HTTP headers, fhe Web server musf 
do fhe aufhenficafion and fhe XML service jusf handles aufhorizafion. If credenfials are placed in fhe 
XML requesf body, fhe XML service handles bofh aufhenficafion and aufhorizafion. 

Synopsis 

Allows you fo configure and manage XML realms. 



Syntax 

#(config) security xml [subcommands] 

Subcommands 

#(config) security xml create-realm realm_name 
Creates the specified XML realm 

#(config) security xml delete-realm realm_name 
Deletes the specified XML realm. 

#(config) security xml edit-realm realm_name 
Changes the prompt. See Submodes for details. 

#(config) security xml view [realm_name] 

Displays the configuration of all XML realms or just the configuration for realm_name if specified. 

Submodes 

#(config) security xml edit-realm realm_name 
This changes fhe prompf fo: 

#(config xml realm_name) 

Commands in fhe xml realm_name mode: 

#(config xml realm_name) alternate-responder {host | port} 

Specifies the alternate responder host and port. 

#(config xml realm_name) alternate-responder path (authenticate 

authenticate jath \ authorize author! ze_path] 

Specifies the alternate responder path for authentication and authorization requests. 

#(config xml realm_namel authorization |default-group-name group-name / username 

use-full-username / realm {none / username / self}} 

Specifies the default group name, username, and realm for authorization. 

#(config xml realm_name) connections count 
Specifies the number of connections to the responder. 
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#(config) security 



#(config security xml) 



#(config xml realm_name) cookie {persistent {enable | disable) | verify-ip {enable | 
disable } 

Specifies whether to enable persistent or session cookies, and whether to verify the IP address of the 
cookie. 

#(config xml realm_name) display-name display_name 
Specifies the display name for this realm. 

#(config xml realm_name) exit 

Exits configure xml-realm mode and returns to configure mode. 

#(config xml realm_name) inactivity-timeout seconds 

Specifies the amount of time a session can be inactive before being logged out. 

#(config xml realm_name) log-out (challenge (enable | disable} | display-time 

seconds} 

Allows you to challenge the user after log out and define the log out page display time. 

#(config xml realm_name) no alternate-responder 
Removes the alternate-responder. 

#(config xml realm_name) no default-group-name 
Removes the default-group-name. 

#(config xml realm_name) one-time-passwords (enable | disable} 

Allows you to use one-time passwords for authentication. The default is disabled. 

#(config xml realm_name) primary- responder (host | port} 

Specifies the primary responder host and port. 

#(config xml realm_name) primary- responder path (authenticate authenticate_path 
I authorize author! ze_path} 

Specifies the primary responder path for authentication and authorization requests. 

#(config xml realm_name) ref resh-time {authorization-refresh seconds \ 
credential -ref resh seconds / rejected-credentials-refresh seconds] 
surrogate-refresh seconds} 

Sets the refresh time for authorization, credential, rejected credentials cache, and surrogates. 

#(config xml realm_name) rename new_realm_name 
Renames this realm to new_realm_name. 

#(config xml realm_name) retry count 

Specifies the number of times for the system to retry a request. The default is not to retry a request. 

#(config xml realm_name) spoof -authentication (none | origin | proxy} 

Enables/ disables the forwarding of authenticated credentials to the origin content server or for proxy 
authentication. Flush the entries for a realm if the spoof-authentication value is changed to ensure that 
the spoof-authentication value is immediately applied. 

You can only choose one. 

• If set to origin, the spoofed header is an Authorization: header. 

• If set to proxy, the spoofed header is a Proxy- Authorization: header. 

• If set to none, no spoofing is done. 

#(config xml realm_name) timeout seconds 

Specifies the XML request timeout. This is the number of seconds the SG appliance allows for each 
request attempt before giving up on a server and trying another server. Within a timeout multiple 
packets can be sent to the server, in case the network is busy and packets are lost. The default request 
timeout is 10 seconds 

#(config xml realm_name) view 
Displays this realm's configuration. 
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#(config) security 



#(config security xml) 



#(config xml realm_name) virtual-url virtual URL 

Specifies the virtual URL to use for this realm. If no URL is specified the global transparent proxy virtual 
URL is used. 

#(config xml realm_name) xml {credentials (header | request} | request-interested 
(enable | disable} | username username_parameter} 

Specifies the user credential location and the username parameter. The username parameter is passed in 
the request when this realm is used for authentication or authorization. 

For More Information 

□ Volume 4: Securing the Blue Coat SG Appliance 



Example 



# (conf ig) 
# (conf ig 
ok 

# (conf ig 
ok 

# (conf ig 



security- 

xml xml 14) 

xml xml 14) 
xml xml 14) 



xml edit-realm xmll4 
display -name 

spoof -authentication origin 
exit 
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#(config) session-monitor 



#(config) session-monitor 



#(config) session-monitor 

Synopsis 

Use this command to configure options to monitor RADIUS accounting messages and to maintain a 
session table based on the information in these messages. 

Syntax 

#(config) session-monitor 
This changes the prompt to: 

#(config session-monitor) 

Subcommands 

#(config session-monitor) cluster disable 
Disables cluster support. 

#(config session-monitor) cluster enable 

Enables cluster support. The group address must be set before the cluster can be enabled. 

#(config session-monitor) cluster grace-period seconds 

Set the time to keep session transactions in memory while waiting for slave logins. This can be set to 
allow session table synchronization to occur after the synchronization-delay has expired. The default is 
30 seconds; the range is 0 to 2^31-1 seconds. 

#(config session-monitor) cluster [no] group-address IP_Address 

Set or clear (the default) the failover group IP address. This must be an existing failover group address. 

#(config session-monitor) cluster port port 

Set the TCP/IP port for the session replication control. The default is 55555. 

#(config session-monitor) cluster synchronization-delay seconds 

Set the maximum time to wait for session table synchronization. The default is zero; the range is from 0 
to 2 ^31 -1 seconds. During this time evaluation of $ (session . username) is delayed, so proxy traffic 
might also be delayed. 

#(config session-monitor) disable 
Disable (the default) session monitoring. 

#(config session-monitor) enable 
Enable session monitoring. 

#(config session-monitor) max-entries integer 

The maximum number of entries in the session table. The default is 500,000; the range is from 1 to 
2,000,000. If the table reaches the maximum, additional START messages are ignored. 

#(config session-monitor) radius acct-listen-port port 

The port number where the SG appliance listens for accounting messages. 

#(config session-monitor) radius authentication {disable | enable} 

Enable or disable (the default) the authentication of RADIUS messages using the shared secret. Note that 
the shared secret must be configured before authentication is enabled. 

#(config session-monitor) radius encrypted- shared- secret encrypted-secret 

Specify the shared secret (in encrypted form) used for RADIUS protocol authentication. The secret is 
decrypted using the configuration-passwords-key. 

#(config session-monitor) radius no shared-secret 
Clears the shared secret used for RADIUS protocol authentication. 

#(config session-monitor) radius respond (disable | enable} 

Enable (the default) or disable generation of RADIUS responses. 
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#(config) session-monitor 



#(config) session-monitor 



#(config session-monitor) radius shared- secret plaintext_secret 
Specify the shared secret used for RAIDUS protocol in plaintext. 

#(config session-monitor) timeout minutes 

The amount of time before a session table entry assumes a STOP message has been sent. The default is 
120 minutes; the range is from 0 to 65535 minutes. Zero indicates no timeout. 

#(config session-monitor) view 
View the session-monitor configuration. 

For More Information 

□ Volume 5: Advanced Networking 

Example 

SGOS# (config) session-monitor 

SGOS#(config session-monitor) view 

General : 

Status : disabled 
Entry timeout: 120 minutes 
Maximum entries: 500000 
Cluster support: disabled 
Cluster port: 55555 
Cluster group address: none 
Synchronization delay: 0 
Synchronization grace period: 30 

Accounting protocol : radius 
Radius accounting: 

Listen ports: 

Accounting: 1813 
Responses : Enabled 
Authentication: Disabled 
Shared secret: ************ 
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#(config) sg-client 



#(config) sg-client 



#(config) sg-client 

Synopsis 

Use this command to configure the Client Manager and client configuration options for fhe SG Clienf. 

Syntax 

#(config) sg-client 
This changes fhe prompf fo: 

#(config sg-client) 



Subcommands 

#(config sg-client) enable 

Enable this appliance as the Client Manager. You can have only one Client Manager in your ADN 
network. 



Note: Before you can enable an appliance fo be fhe Clienf Manager, you musf configure fhe 

ADN manager clienfs will use. If you fry fo enable fhe Clienf Manager before you configure an 
ADN manager for clienfs, fhe following error displays: The adn primary manager must be 
set prior to enabling the SG Client Manager. To sef fhe clienfs' ADN manager, see 
"#config (sg-clienf adn)" on page 312. 



#(config sg-client) disable 

Do not use this appliance as the Client Manager. 

#(config sg-client) client-manager host { from-client-address [ <ip-address \ host>] 
Identify this appliance as the Client Manager in one of the following ways: 

• from-client-address: (Recommended.) Use this command if you want clients to download the 
SG Client software, configuration, and updates from the host from which the clients originally 
obtained the software. 

• ip-address or host: Use this command only if you want to change the host from which clients 
download the SG Client software, configuration, and updates. Enter a fully-qualified host name or 
IP address only; do not preface the with http ; // or https : / /or downloads will fail. 

In ofher words, fhis opfion enables you fo change fhe hosf from which currenfly-insfalled 
clienfs obfain fufure soffware and configurafion updafes. Use caufion when selecfing fhis 
opfion because if clienfs are unable fo cormecf fo fhe hosf you enfer in fhe adjacenf field, 
new insfallafions from fhe Clienf Manager and updafes fo exisfing insfallafions will fail. 



Note: Blue Goaf recommends you enfer fhe fully-qualified hosf name. If you enfer eifher an 

unqualified hosf name or IP address and change if lafer, cormecfions fo all currenfly-connecfed 
clienfs are dropped. 



#(config sg-client) client-manager install-port port 

Port on which the host you entered in the preceding option listens for requests from clients. 

#(config sg-client) client-manager keyring keyring 

Name of the keyring the Client Manager will use when clients connect to it. 

#(config sg-client) max-cache-disk-percent percentage 

Maximum percentage of client disk space to use for caching objects, such as CIFS objects. Valid values 
are 10 — 90; default is 10. 
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#(config) sg-client 



#(config) sg-client 



Note: The cache will always leave at least 1GB free on the system root. For more information, 
see the chapter on configuring fhe SG Clienf in Volume 5: Advanced Networking. 

#(config sg-client) sof tware-upgrade-path uri 

Sets the URL used to upload updated SG Client software to the Client Manager so it can make the latest 
SG Client software available to update or to install on client machines. 

Important: After you update the Client Manager, whenever users cormect using the SG Client, 
they will be required to update the SG Client software. 

Upload the SG Client software from a URL in fhe following formal: 

https : / /host : port / sgcl lent /SGCl lent . car 

For example, 

https : //mysg . example . com : 8004/ sgclient/SGClient . car 

Affer you sef fhe pafh from which fo load fhe updafes, see # load sg-client- sof tware 
Loads the SG Client software to the Client Manager. To use this 
command, you must have previously defined an upload location using 
#(config) sg-client on page 309. Messages display as the software 
loads, on page 57. 

#(config sg-client) tcp-window-size bytes 

Sets the number of bytes allowed before acknowledgement (the value must be between 8192 and 
4194304). If you know the bandwidth and roundtrip delay, the TCP window size you should is us 
approximately 2 * bandwidth * delay. For example, if the bandwidth of the link is 8 Mbits /sec and 
the round-trip delay is 0.75 seconds: 

TCP window size = 2 * 8 Mbits/sec * 0.75 sec = 12 Mbits = 1.5 Mbytes 

The setting in this example would be 1500000 bytes. This number goes up as either bandwidth 
or delay increases, and goes down as they decrease. Because the bandwidth and delay for 
mobile users can vary. Blue Coat recommends you test mobile client performance in a 
controlled environment before deciding on a value to use in production. 

#(config sg-client) update-interval minutes 

Frequency clients check with the Client Manager for updated SG Client software. Default is 120. 

#(config sg-client) view 

View current Client Manager settings. 



For More Information 

□ Volume 5: Advanced Networking 

Example 

SGOS# (config) client -manager host enable 

SGOS# (conf ig) client -manager host f rom-client-address 

SGOS# (config) software-upgrade-path 

https : //mysg . example . com : 8 004 /sgclient/SGClient . car 
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#(config) sg-client 



#config (sg-client adn) 



#config (sg-client adn) 

Synopsis 

Configure ADN manager and ADN rules settings for SG Clients. 

Syntax 

#(config) sg-client 

This changes the prompt to: 

#(config sg-client) 

#(config sg-client) adn 

This changes the prompt to: 

#(config sg-client adn) 

Subcommands 

#(config sg-client adn) primary -manager ip-address 

The IP address of the primary ADN manager. The ADN manager keeps track of and advertises the 
routes of the appliances it knows about. You must specify a primary manager. 

The SG Client obtains the routing table from the ADN manager. 

#(config sg-client adn) backup -manager ip-address 

The IP address of the backup ADN manager. Configuring a backup ADN manager is optional but 
recommended. 

If the ADN manager becomes unavailable for any reason, the backup ADN manager takes 
over the task of advertising routes to all ADN nodes, such as the SG Client. 

#(config sg-client adn) manager-port port 

ADN manager and backup manager plain listen port. (To use the SG Client in your ADN network, the 
ADN manager's listening mode must be configured for Plain Only, Plain Read-Only, or Both.) 

#(config sg-client adn) port- list {exclude-ports | include-ports} 

Determines whether you will use the include ports list or exclude ports list. 

#(config sg-client adn) {exclude-ports | include-ports} Iport-list | port-range) 

Determines which TCP ports to exclude or include in ADN tunnels. Assuming clients using the SG 
Client software can connect to an ADN peer that can optimize traffic to the destination IP address, this 
setting determines ports the clients can use (or not use). 

For example, you can exclude ports or port ranges because traffic coming from those ports has 
already been encr 5 rpted. 

For example, the following command excludes traffic from ports 22 and 443 from being routed 
through ADN: 

#(config sg-client adn) exclude-ports 22,443 

Valid values: Comma-separated list of ports and port ranges (no spaces, separated by a dash 
character). 

#(config sg-client adn) exclude-subnets 

Configure the subnets excluded from ADN acceleration 

#(config sg-client adn exclude-subnets) {add | remove} subnet_prefix [/prefix 
length ] 

Adds or removes subnets from the excluded subnets list, which is the list of subnets not included in 
ADN tunnels. Use a comma-separated list of IP addresses and subnets in CIDR notation. 
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#(config) sg-client 



#config (sg-client adn) 



For example, the following command excludes traffic from the IP address 128.211.168.0 
and subnet 255.255.255.0 from being routed through the ADN tunnel: 

#(config sg-client adn exclude -subnets) add 128.211.168.0/24 

#(config sg-client adn exclude -subnets) clear 

Removes all subnets from the current excluded subnet list. In other words, traffic from all IP 
addresses and subnets will be routed through the ADN tunnel. 

#(config sg-client adn exclude -subnets) exit 
Exits the exclude- subnets submode. 

# (config sg-client adn exclude-subnets) view 
View the list of excluded subnets. 

# (config sg-client adn) exit 
Exit the adn submode. 

For More Information 

□ Volume 5: Advanced Networking 

Example 

#(config sg-client adn) exclude-ports 22 , 88 , 443 , 993 , 995 , 1352 , 1494 , 1677 , 3389,5900 
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#(config) sg-client 



#config (sg-client cits) 



#config (sg-client cifs) 

Synopsis 

Configure CIFS settings for SG Clients. 

Syntax 

#(config) sg-client 

This changes the prompt to: 

#(config sg-client) 

#(config sg-client) cifs 

This changes the prompt to: 

#(config sg-client cifs) 

Subcommands 

#(config sg-client cifs) directory-cache-time seconds 

Number of seconds for directory listings to remain in the cache. Default is 30. 

#(config sg-client cifs) {disable | enable} 

Disable or enable CIFS acceleration. CIFS acceleration is enabled by default. 

#(config sg-client cifs) exit 
Exit the sg-client cifs command. 

#(config sg-client cifs) write-back {full | none} 

Determines whether or not users can continue sending data to the appliance while the appliance is 
writing data on the back end. 

• full enables write-back, which in turn makes the appliance appear to the user as a file server; in 
other words, the appliance constantly sends approval to the client and allows the client to send data 
while the back end takes advantage of the compressed TCP connection. 

• none disables write-back. Disabling write-back can introduce substantial latency as clients send 
data to the appliance and wait for acknowledgement before sending more data. 

One reason to set this option to none is the risk of data loss if the link from the branch to the 
core server fails. There is no way to recover queued data if such a link failure occurs. 

#(config sg-client cifs) view 
View client CIFS settings. 

For More Information 

□ Volume 5: Advanced Networking 

Example 

SGOS# (config sg-client cifs) enable 

SGOS# (config sg-client cifs) write-back full 
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#(config) shell 



#(config) shell 



#(config) shell 



Synopsis 

Use this command to configure options for fhe shell. 

#(config) shell max -connect ions 

Maximum number of shell connections. Allowed values are between 1 and 65535. 

#(config) shell no 

Disables the prompt, realm-banner, and welcome-banner strings. 

#(config) shell prompt 

Sets the prompt that the user sees in the shell. If the string includes white space, enclose the string in 
quotes. 

#(config) shell realm-banner 

Sets the realm banner that the user sees when logging into a realm through the shell. If the string 
includes white space, enclose the string in quotes. 

#(config) shell welcome-banner 

Sets the welcome banner that the users sees when logging into the shell. If the string includes white 
space, enclose the string in quotes. 



For More Information 

□ Volume 2: Proxies and Proxy Services 

Example 

SGOS# (config) shell prompt "Telnet Shell >" 
ok 

SGOS# (config) shell welcome-banner "Welcome to the Blue Coat Telnet Shell" 
ok 
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#(config) show 



#(config) show 



#(config) show 

□ # show on page 72. 
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#(config) snmp 



#(config) snmp 



#(config) snmp 

Synopsis 

Use this command to set SNMP (Simple Network Management Protocol) options for the SG appliance. 

The SG appliance can be viewed using an SNMP management station. The SG appliance supports 
MIB-2 (RFC 1213). 

Syntax 

#(config) snmp 
This changes the prompt to: 

#(config snmp) 



Subcommands 

#(config snmp) authorize-traps 
Enables SNMP authorize traps. 

#(config snmp) disable 

Disables SNMP for the SG appliance. 

#(config snmp) director- trap-address director_ip director_ID_string 
Enables Director to receive SNMP traps from the SG appliance. 

#(config snmp) enable 

Enables SNMP for the SG appliance. 

#(config snmp) encrypted-read-community encrypted_password 
Specifies encrypted read community string. 

#(config snmp) encrypted-trap-community encrypted_passivord 
Specifies encrypted trap community string. 

#(config snmp) encrypted-write-communi ty encrypted_passn?ord 
Specifies encrypted write community string. 

#(config snmp) exit 

Exits configure snmp mode and returns to configure mode. 

#(config snmp) no authorize-traps 

Disables the current authorize traps settings. 

#(config snmp) no sys-contact 

Disables the current system contact settings. 

#(config snmp) no sys-location 

Disables the current system location settings. 

#(config snmp) no trap-address {1 | 2 | 3} 

Disables the current trap address settings (for trap address 1, 2, or 3). 

#(config snmp) read-community passw^ord 

Sets the read community password or encrypted-password. 

#(config snmp) reset-configuration 

Resets the SNMP configuration to the default settings, clearing commimity strings and any IP addresses. 
You do not need to reboot the system after making these changes. 

#(config snmp) snmp-writes {disable | enable} 

Enables or disables SNMP write capability. 
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#(config) snmp 



#(config) snmp 



#(config snmp) sys-contact string 

Sets the "sysContact" MIB variable to string. 

#(config snmp) sys-location string 

Sets the "sysLocation" MIB variable to string. 

#(config snmp) test-trap string 

Sends a policy test trap with the string as the message. Quotes are required if the message contains 
whitespace. 

#(config snmp) trap-address {l | 2 | 3} ip_address 

Indicates which IP address(es) can receive traps and in which priority. 

#(config snmp) password 

Sets the trap community password or encrypted-password. 

#(config snmp) view 
Displays SNMP settings. 

#(config snmp) write-community password 

Sets the write commimity password or encrypted-password. 

For More Information 

□ Volume 10: Managing the Blue Coat SG Appliance 

Example 

SGOS# (conf ig) snmp 

SGOS# (config snmp) authorize- traps 
ok 

SGOS# (config snmp) exit 
SGOS# (config) 
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#(config) socks-gateways 



#(config) socks-gateways 



#(config) socks-gateways 

Synopsis 

Use this command to set the SOCKS gateways settings. 

Syntax 

#(config) socks-gateways 

This changes the prompt to: 

#(config socks-gateways) 

Subcommands 

#(config socks-gateways) create gateway_al las gateway_host SOCKS_port 

[group=group-alias] [version={4 | 5 [user=username {password=password | 
encrypted-password=encrypted-password}] 

Creates a SOCKS gateway. 



Note: The SOCKS compression feature is deprecated, as a more advanced version of fhis 

funcfionalify is now available as parf of fhe Applicafion Delivery Nefwork feafures. Refer fo 
Volume 5: Advanced Networking for insfrucfions on how fo configure and use fhese feafures. 



#(config socks-gateways) create {gateway | group group_name } 

#(config socks-gateways) delete (all | gateway gateway_alias \ group group_name] 
Deletes a SOCKS gateway or group. 

#(config socks-gateways) destroy-old-passwords 
Destroys any cleartext passwords left after an upgrade. 

#(config socks-gateways) edit gateway_alias 

Changes the prompt. See # (config socks-gateways gateway alias) on page 321. 

#(config socks-gateways) edit group_alias 

Changes the prompt. See# (config socks-gateways group alias) on page 323. 

# (config socks-gateways) exit 

Exits configure socks-gateways mode and returns to configure mode. 

# (config socks-gateways) failure-mode {open | closed) 

Sets the default failure mode (that can be overridden by policy). 

# (config socks-gateways) host-affinity http {default | none | client-ip-address | 
accelera tor -cookie) gateway_or_group_alias 

Selects a host affinity method for HTTP. If a gateway or group alias is not specified for the 
accelerator- cookie, client - ip -address, or none options, the global default is used. Use the 
default option to specify default configurations for all the settings for a specified gateway or group. 
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#(config) socks-gateways 



#(config) socks-gateways 



#(config socks-gateways) host-affinity ssl {default | none | client-ip-address | 
accelerator-cookie | ssl-session-idj gateway_or_group_aIias 
Selects a host affinity method for SSL. If a gateway or group alias is not specified for the 
accelerator-cookie, client-ip-address, none, or ssl-session-id options, the global 
default is used. Use the default option to specify default configurations for all the settings for a 
specified gateway or group. 

#(config socks-gateways) host-affinity other {default | client- ip-address | none} 

gate way_ or_group_al ias 

Selects a host affinity method (non-HTTP or non-SSL). If a gateway or group alias is not specified for the 
client - ip -address, or none options, the global default is used. Use the default option to specify 
default configurations for all the settings for a specified gateway or group. 

#(config socks-gateways) load-balance gateway {default | none | round-robin | 
least-connections) gateway_alias 

Selects a host affinity method (non-HTTP or non-SSL). If a gateway alias is not specified for the 
client - ip -address, or none options, the global default is used. Use the default option to specify 
default configurations for all the settings for a specified gateway . 

#(config socks-gateways) load-balance group {default | none | domain-hash | url-hash 
I round-robin | least-connections) group_alias 

#(config socks-gateways) no path 

Clears network path to download SOCKS gateway settings. 

#(config socks-gateways) path uri 

Specifies the network path to download SOCKS gateway settings. 

#(config socks-gateways) sequence {add | demote | promote | remove) gateway_alias 
Adds an alias to the end of the default failover sequence. 

socks-gateways) sequence clear 
Clears the default failover sequence. 

#(config socks-gateways) view 
Displays all SOCKS gateways. 



For More Information 

□ Volume 5: Advanced Networking 



Example 

SGOS# (conf ig) 
SGOS# (conf ig 
ok 

SGOS# (conf ig 
SGOS# (config) 



socks-gateways 

socks-gateways) 

socks-gateways) 



failure-mode open 
exit 
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#(config) socks-gateways 



#(config socks-gateways gateway_alias) 



#(config socks-gateways gateway_alias) 

Synopsis 

These commands allow you to edit the settings of a specific SOCKS gafeway. 

Syntax 

#(config) socks-gateways 
This changes fhe prompf fo: 

#(config socks-gateways) 
edit gateway_alias 
This changes fhe prompf fo: 

#(config socks-gateways gateway_alias) 



Subcommands 

#(config socks-gateways gateway_alias) encrypted-password 
Changes the version 5 encrypted password. 

#(config socks-gateways gateway_alias) exit 

Exits configure socks-gateways gateway_alias mode and returns to configure socks-gateways mode. 

#(config socks-gateways gateway_alias) host 
Changes the host name. 

#(config socks-gateways gateway_alias) host-affinity http {accelerator-cookie | 
client-ip-address | default | none} 

Changes the host affinity method (HTTP) for this host. 

#(config socks-gateways gateway_alias) host-affinity other (client-ip-address | 
default I none) 

Changes the host affinity other method for this host. 

#(config socks-gateways gateway_alias) host-affinity ssl (accelerator-cookie | 
client-ip-address | default | ssl-session-id | none} 

Changes the host affinity method (SSL) for this host. 

#(config socks-gateways gateway_alias) load-balance (default | least-connections 
I round- robin | none} 

Changes the load balancing method. 

#(config socks-gateways gateway_alias) no (password | username} 

Optional, and only if you use version 5. Deletes the version 5 password or username. 

#(config socks-gateways gateway_alias) password 

Optional, and only if you use version 5. Changes the version 5 password. If you specify a password, you 
must also specify a username. 

#(config socks-gateways gateway_alias) port 
Changes the SOCKS port. 

#(config socks-gateways gateway_alias) request-compression 
Changes the SOCKS port to request compression. 

#(config socks-gateways gateway_alias) user 

Optional, and only if you use version 5. Changes the version 5 username. If you specify a username, you 
must also specify a password. 
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#(config) socks-gateways 



#(config socks-gateways gateway_alias) 



#(config socks-gateways gateway_alias) version {4 | 5} 
Changes the SOCKS version. 

#(config socks-gateways gateway_alias) view 
Shows the current settings for this SOCKS gateway. 



For More Information 

□ Volume 5: Advanced Networking 

Example 

SGOS# (config) socks-gateways 

SGOS# (config socks-gateways) edit testgateway 
SGOS# (config socks-gateways testgateway) version 5 
ok 

SGOS# (config socks-gateways testgateway) exit 
SGOS# (config socks-gateways) exit 
SGOS# (config) 
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#(config) socks-gateways 



#(config socks-gateways group_alias) 



#(config socks-gateways group_alias) 

Synopsis 

These commands allow you to edit the settings of a specific SOCKS gafeway group. 

Syntax 

#(config) socks-gateways 

This changes fhe prompf fo: 

#(config socks-gateways) create host_alias hostname protocol=port 
group=group_alias 

#(config socks-gateways) edit group_alias 

This changes fhe prompf fo: 

#(config socks-gateways group_alias) 



Subcommands 

#(config socks-gateways group_alias) add 
Adds a new group. 

#(config socks-gateways group_alias) exit 

Exits # (config socks-gateways group_aIi as) mode and returns to #(config 
socks-gateways) mode. 

# (config socks-gateways group_alias) host-affinity http {accelerator-cookie | 
client-ip-address | default | none} 

Changes the host affinity method (HTTP) for this group. 

# (config socks-gateways group_alias) host-affinity other { client- ip-address | 
default I none} 

Changes the host affinity other method for this host. 

# (config socks-gateways group_alias) host-affinity ssl (accelerator-cookie | 
client-ip-address | default | ssl-session-id | none} 

Changes the host affinity method (SSL) for this group. 

# (config socks-gateways group_alias) load-balance method (default | domain-hash 
I least-connections | none | round-robin | url-hash} 

Changes the load balancing method. 

# (config socks-gateways group_alias) remove 
Removes an existing group. 

# (config socks-gateways group_alias) view 
Shows the current settings for this SOCKS gateway. 

For More Information 

□ Volume 5: Advanced Networking 
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#(config) socks-gateways 



#(config socks-gateways group_alias) 



Example 

SGOS# (config) socks-gateways 

SGOS#(config socks-gateways) edit test_group 

SGOS# (config socks-gateways test_group) load-balance hash domain 
ok 

SGOS# (config socks-gateways test_group) exit 
SGOS# (config socks-gateways) exit 
SGOS# (config) 
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#(config) socks-machine-id 



#(config) socks-machine-id 



#(config) socks-machine-id 

Synopsis 

Use this command to set the machine ID for SOCKS. 

If you are using a SOCKS server for fhe primary or alfernafe gafeway you musf specify fhe SG 
appliance machine ID for fhe Idenfificafion (Idenf) profocol used by fhe SOCKS gafeway. 

Syntax 

# (conf ig) socks-machine-id machine_id 
Indicates the machine ID for the SOCKS server. 

Example 

SGOS# (config) socks-machine-id 10.25.36.47 

ok 
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#(config) socks-proxy 



#(config) socks-proxy 



#(config) socks-proxy 

Synopsis 

Use this command to configure a SOCKS proxy on anSG appliance. Only one server is permitted per 
SG appliance. Both SOCKSv4 and SOCKSvS are supported by Blue Coat, and both are enabled by 
default. 

Note that the version of SOCKS used is only configurable fhrough policy. For example, fo use only 
SOCKSvS: 

<proxy> 

socks . version=4 deny 



Syntax 

#(config) socks-proxy 

Subcommands 

#(config) socks-proxy accept- timeout seconds 
Sets maximum time to wait on an inbound BIND. 

#(config) socks-proxy connect-timeout seconds 
Sets maximum time to wait on an outbound CONNECT. 

#(config) socks-proxy max-connections num_connections 
Sets maximum allowed SOCKS client connections. 

#(config) socks-proxy max-idle-timeout seconds 

Specifies the minimum timeout after which SOCKS can consider the connection for termination when 
the max coimections are reached. 

#(config) socks-proxy min-idle-timeout seconds 

Specifies the max idle timeout value after which SOCKS should terminate the connection. 

#(config) socks-proxy pa-customer-id customer_id 

Validates the license for the specified customer. (The customer_id is the Customer ID number you took 
from the About t ab on the PA client. Use socks-proxy pa- customer- id 0 to disable the license. 

For More Information 

□ Volume 2: Proxies and Proxy Services 

Example 

SGOS# (config) socks-proxy accept- timeout 120 

ok 
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#(config) ssh-console 



#(config) ssh-console 



#(config) ssh-console 

Synopsis 

Configures the SSH host and client keys. 

Syntax 

#(config) ssh-console 

This changes the prompt to: 

#(config ssh-console) 

Subcommands 

#(config ssh-console) create host-keypair {sshvl | sshv2 | <Enter>} 

Creates a host-keypair for the SSH console of the specified version. 

#(config ssh-console) delete client-key username key_id 
Deletes the client key with the specified username and key ID. 

#(config ssh-console) delete legacy-client-key key_id 
Deletes the legacy client key. 

#(config ssh-console) delete director-client-key key_id 
Deletes the Director client key. 

#(config ssh-console) delete host-keypair {sshvl | sshv2 | <Enter>} 

Deletes the specified host keypair. 

#(config ssh-console) inline (client-key <eof> \ director-client-key <eof>] 
Allows you add a client key or a Director client key using inline commands. 

#(config ssh-console) view (client-key | director-client-key | host-public-key | 
user-list | versions-enabled} 

Views the SSH console parameters. 

For More Information 

□ Volume 2: Proxies and Proxy Services 

□ #(config ssh-console) on page 134 

Example 

#(config ssh-console) view versions-enabled 
SSHv2 is enabled. 
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#(config) ssl 



#(config) ssl 



#(config) ssl 

Synopsis 

Use this command to configure HTTPS termination, including managing certificates, both self-signed 
and fhose from a Cerfificafe Signing Aufhorify (CSA). 

To configure HTTPS ferminafion, you musf complefe fhe following fasks: 

□ Configure a keyring 

□ Configure fhe SSL clienf 

□ Configure fhe HTTPS service 

Note: To do these steps, you must have a serial or SSH cormection; you cannot use Telnet. 



Syntax 

#(config) ssl 
This changes the prompt to: 

#(config ssl) 

Subcommands 

#(config ssl) create ccl list_name 
Creates a list to contain CA certificates. 

#(config ssl) create certificate tceyring'_id 

Creates a certificate. Certificates can be associated with a keyring. 

You can create a self-signed certificate two ways: interactively or non-interactively. 

Director uses non-interactive commands in profiles and overlays to create certificates. 

#(config ssl) create crl crl_id 
Create a Certificate Revocation List. 

#(config ssl) create keyring {show | show-director | no-show} keyringyid 
[key_length] 

Creates a keyring, with a keypair, where: 

show: Keyrings created with this attribute are displayed in the show configuration output, meaning 
that the keyring can be included as part of a profile or overlay pushed by Director. 

show-director: Keyrings created with this attribute are part of the show configuration output if 
the CLI connection is secure (SSH/RSA) and the command is issued from Director. 

no-show: Keyrings created with this attribute are not displayed in the show configuration output and 
cannot be part of a profile. The no - show option is provided as additional security for environments 
where the keys will never be used outside of the particular SG appliance. 

#(config ssl) create device-authentication-profile device_authentication_profile 
_name [keyring] 

Creates a device authentication profile of the specified name and keyring. The keyring must already 
exist. If you do not specify a keyring, the certificate is put in the appl iance - key keyring. 
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#(config) ssl 



#(config) ssl 



#(config ssl) create signing-request A:eyring_id 

Creates a certificate signing request. The request must be associated with a keyring. 

You can create a signing request two ways: interactively or non-interactively. 

Director uses non-interactive commands in profiles and overlays to create signing requests. 

#(config ssl) create ssl-client ssl_client_nan!e 

Associates the SSL client with a keyring. Only the default is permitted. 

#(config ssl) delete ca-certificate name 
Deletes a CA-certificate from the SG appliance. 

#(config ssl) delete ccl list_name 
Deletes a CCL list from the SG appliance. 

#(config ssl) delete certificate keyring_id 
Deletes the certificate associated with a keyring. 

#(config ssl) delete crl list_name 

Deletes the specified Certificate Revocation List. 

#(config ssl) delete external-certificate name 
Deletes an external certificate from the SG appliance. 

#(config ssl) delete keyring keyring_id 
Deletes a keyring, with a keypair. 

#(config ssl) delete signing-request keyring_id 
Deletes a certificate signing request. 

#(config ssl) delete ssl-client ssl_client_name 
Deletes an SSL client. 

#(config ssl) edit ccl list_name 

Changes the prompt. See # (config ssl ccl list_name) on page 332. 

#(config ssl) edit crl crl_id 

Changes the prompt. See # (config ssl crl_list_name) on page 333. 

# (config ssl) edit device-authentication-profile prof ile_name . 

Changes the prompt . See 

# (config ssl) edit ssl-client ssl_client_name 

Changes the prompt. Only default is permitted. See # (config ssl ssl default_client_name) 

on page 335. 

# (config ssl) exit 

Exits configure ssl mode and returns to configure mode. 

# (config ssl) inline ca-certificate name eof 

Imports a CA certificate. 

# (config ssl) inline certificate keyring_id eof 

Imports a certificate. 

# (config ssl) inline crl list_name 
Imports a Certificate Revocation List. 

# (config ssl) inline external-certificate name eof 
Imports a certificate without the corresponding private key. 

# (config ssl) inline keyring {show | show-director | no-show} keyring_ id eof 
Imports a keyring, where: 

show: Keyrings created with this attribute are displayed in the show conf igurat ion output, meaning 
that the keyring can be included as part of a profile or overlay pushed by Director. 
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#(config) ssl 



#(config) ssl 



show-director: Keyrings created with this attribute are part of the show configuration output if 
fhe CLI connection is secure (SSH/RSA) and the command is issued from Direcfor. 

no-show: Keyrings created with this attribute are not displayed in the show configuration output and 
cannot be part of a profile. The no-show option is provided as additional security for environments 
where the keys will never be used outside of fhe particular SG appliance. 

eof : End-of-file marker. This can be anything, as long as it doesn't also appear in the inline text. (If the 
eof appears in the inline text, the inline command completes at that point.) 

#(config ssl) inline signing-request keyring_id eof 
Imports the specified signing request. 

#(config ssl) load crl crl_list 
Loads the specified CRL list. 

#(config ssl) proxy issuer-keyring keyring_name 
Specifies fhe keyring to be used for SSL interception. 

SGOS#(config ssl) request-appliance-certificate 
Generates an appliance certificate. 

#(config ssl) ssl -nego- timeout seconds 

Configures fhe SSL-negofiation timeout period. The default is 300 seconds. 

SGOS#(config ssl) view appliance-certificate-request 

Displays the appliance certificate request generated by the request - appliance -certificate 
command. 

#(config ssl) view ca-certif icate name 
Displays the Certificate Authority certificate. 

#(config ssl) view ccl 

Displays the CA-certificate lists. 

#(config ssl) view certificate keyring_id 
Displays the certificate. 

#(config ssl) view crl [list_name] 

Displays the specified Certificate Revocation List. 

SGOS#(config ssl) view device-authentication-profile 

#(config ssl) view external -certificate name 
Displays the external certificate. 

#(config ssl) view keypair {des | des3 | unencrypted} keyring_id \ keyring_id} 

Displays the keypair. If you want to view the keypair in an encrypted format, you can optionally specify 
des or de s 3 before fhe keyringID. If you specify eifher des or des 3, you are prompted for the 
challenge entered when the keyring was created. 

#(config ssl) view keyring [keyring_id] 

Displays the keyring. 

#(config ssl) view signing- request keyring_id 
Displays the certificate signing request. 

#(config ssl) view ssl-client 

Displays summary information of SSL clients. 

#(config ssl) view ssl -nego -timeout 

Displays SSL negotiation timeout period status summary. 

#(config ssl) view summary {ca-certificate | external -certificate } [name] 

Displays a summary for all CA-certificate or external-certificate commands, or for the certificate name 
specified. 
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#(config) ssl 



#(config) ssl 



For More Information 

□ Volume 2: Proxies and Proxy Services 

Example 

SGOS# (conf ig) ssl 

SGOS# (config ssl) create keyring show keyring id [key length] 
ok 

SGOS# (config ssl) view keyring keyring id 

KeyringID: default 

Is private key showable? yes 

Have GSR? no 

Have certificate? yes 

Is certificate valid? yes 

CA: Blue Coat SG810 

Expiration Date: Jan 23 23:57:21 2013 GMT 

Fingerprint : EB : BD : F8 : 2C : 00 : 25 : 84 : 02 : CB : 82 : 3A : 94 : IE : 7F : OD : E3 
SGOS# (config ssl) exit 
SGOS# (config) 
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#(config) ssl 



#(config ssl ccl list_name) 



#(config ssl ccl list_name) 

Synopsis 

Allows you to edit the CCL parameters. 

Syntax 

#(config) ssl 
This changes the prompt to: 

#(config ssl) edit ccl list_name 
This changes the prompt to: 

#(config ssl ccl list_name) 



Subcommands 

#(config ssl ccl list_name) add ca_certificate_name 

Adds a CA certificate to this list. (The CA certificate must first be imported in configure ssl mode.) 

#(config ssl ccl list_name) clear 

Clears all CA certificates from the specified list. 

#(config ssl ccl list_name) exit 

Exits configure ssl ccl list_name mode and returns to ssl configure mode. 

#(config ssl ccl list_name) view 

Shows a summary of CA certificates in this list. 

For More Information 

□ Volume 2: Proxies and Proxy Services 

Example 



SGOS# 


(conf ig) 


ssl 






SGOS# 


(conf ig 


ssl) 


edit ccl list 


name 


SGOS# 


(conf ig 


ssl 


ccl list name) 


add CACertl 


ok 

SGOS# 


(conf ig 


ssl 


ccl list name) 


exit 


SGOS# 


(conf ig 


ssl) 


exit 




SGOS# 


(conf ig) 
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#(config) ssl 



#(config ssl crl_list_name) 



#(config ssl crl_list_name) 

Synopsis 

Allows you to edit the specified Certificate Revocation List name. 

Syntax 

#(config) ssl 
This changes the prompt to: 

#(config ssl) 
edit crl crl_list_name 
This changes the prompt to: 

#(config ssl crl_list_name) 

Subcommands 

#(config ssl crl_list_name) exit 

Exits configure ssl crl crl_list_name mode and returns to ssl configure mode. 

#(config ssl crl_list_name) inline 
Imports a Certificate Revocation List. 

#(config ssl crl_list_name) load 

Downloads the specified Certificate Revocation List. 

#(config ssl crl_list_name) path 

Specifies the network path to download the specified Certificate Revocation List. 

#(config ssl crl_list_name) view 

View the specified Certificate Revocation List. 

For More Information 

□ Volume 2: Proxies and Proxy Services 
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#(config) ssl 



#(config ssl device-authentication-profile) 



#(config ssl device-authentication-profile) 

Synopsis 

Allows you to edit a device authentication profile. Note that the built-in profile, 

bluecoat-appliance-certificate, cannof be edifed. 

Syntax 

#(config) ssl 
This changes fhe prompf fo: 

#(config ssl) 

edit device-authentication-profile profile_name 
This changes fhe prompf fo: 

#(config ssl profile_name) 



Subcommands 

#(config ssl profile_name) cipher-suite cipher-suite 

Configures device authentication profile cipher suites. If you press <enter>, you can see the list of 
available ciphers. The default is AES256-SHA. You can choose more than one cipher suite. 

#(config ssl profile_name) ccl ccl_name 
Configures the device authentication profile CCL. 

#(config ssl profile_name) device - id device_ir> 

Configure device authentication profile of the specific device ID. 

#(config ssl profile_name) exit 

Returns to the # (config ssl) prompt. 

#(config ssl profile_name) keyring- id heyring'_ID 

Configures the device authentication profile in the specified keyring. 

# (config ssl profile_name) verify-peer {enable | disable) 

Enable or disable device authentication peer verification. 

# (config ssl profile_name) view 



For More Information 

□ Volume 5: Advanced Networking 

Example 

# (config device-auth testl) view 
Name: testl 

Keyring: appliance-key 
CCL: appliance-ccl 

Device-id: 4505060020 (4505060020) 
Cipher suite: aes256-sha 
Verify-peer: enabled 
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#(config) ssl 



#(config ssl ssl default_client_name) 



#(config ssl ssl default_client_name) 

Synopsis 

Allows you to edit the SSL client parameters. Only the default is permitted. 

Syntax 

#(config) ssl 
This changes the prompt to: 

#(config ssl) 

edit ssl-client ssl_default_client_name 
This changes the prompt to: 

#(config ssl ssl_default_client_name) 

Subcommands 

#(config ssl ssl_default_client_name) cipher-suite 

Specifies the cipher suite to use. The default is to use all cipher suites. If you want to change the default, 
you have two choices: 

• interactive mode 

• non-interactive mode 

Director uses non-interactive commands in profiles and overlays to create cipher suites. 

The optional cipher-suite refers to the cipher-suites you want to use, space separated, such as 
rc4-md5 exp-des-cbc-sha . If you want to use the interactive mode, do not specify a cipher suite. 

#(config ssl ssl_default_client_name) exit 

Exits configure ssl ssl-client ssl_default_client_name mode and returns to ssl 
configure mode. 

#(config ssl ssl_default_client_name) keyring- id A:eyring'_id 
Configures SSL client keyring id. 

#(config ssl ssl_default_client_name) protocol {sslv2 \ sslv3 \ tlsvl \ sslv2v3 \ 
sslv2tlsvl\ sslv3tlsvl I sslv2v3tlsvl} 

Configures SSL client protocol version. 

#(config ssl ssl_default_client_name) view 
Displays the SSL client details. 

For More Information 

□ Volume 2: Proxies and Proxy Services 

Example 

SGOS# (conf ig) ssl 

SGOS# (config ssl) edit ssl-client ssl_default_client_name 

SGOS#(config ssl ssl-client ssl_default_client_name) cipher-suite rc4-md5 
exp -des- cbc - sha 
ok 

SGOS# (config ssl ssl-client ssl_default_client_name) exit 
SGOS# (config ssl) exit 
SGOS# (config) 
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#(config) static-routes 



#(config) static-routes 



#(config) static-routes 

Synopsis 

Use this command to set the network path to download the static routes configuration file. 

To use sfafic roufes on fhe SG appliance, you musf creafe a roufing fable and place if on an HTTP 
server accessible fo fhe device. The roufing fable is a fexf file fhaf confains a lisf of IP addresses, subnef 
masks, and gafeways. When you download a roufing fable, fhe fable is sfored in fhe device unfil if is 
replaced by downloading a new fable. 

The roufing fable is a simple fexf file confaining a lisf of IP addresses, subnef masks, and gafeways. A 
sample roufing fable is illusfrafed below: 

10 . 63 . 0 . 0 255 . 255 . 0.0 10 . 63 . 158.213 

10 . 64 . 0 . 0 255 . 255 . 0.0 10 . 63 . 158.213 

10 . 65 . 0 . 0 255 . 255 . 0.0 10 . 63 . 158.226 

When a roufing fable is loaded, all requesfed addresses are compared fo fhe lisf, and roufed based on 
fhe besf mafch. 

Affer fhe roufing fable is creafed, place if on an HTTP server so if can be downloaded fo fhe device. To 
download fhe roufing fable fo fhe SG appliance, use fhe load command. 

Syntax 

#(config) static-routes no path 

Clears the network path location of the static route table 

#(config) static-routes path uri 

Sets the network path location of the static route table to the specified URL. 



For More Information 

□ Volume 2: Proxies and Proxy Services 

Example 

SGOS# (config) static-routes path 10 . 25 . 36 . 47/files/routes . txt 

ok 
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#(config) streaming 



#(config) streaming 



#(config) streaming 

Synopsis 

Use this command to configure general streaming settings and Microsoft Windows Media or 
RealNetworks Real Media settings. 

Syntax 

#(config) streaming max-client-bandwidth icjbps 
Sets the maximum client bandwidth permitted to kbps. 

#(config) streaming max-gateway-bandwidth icbps 
Sets the maximum gateway bandwidth permitted to kbps. 

#(config) streaming multicast address-range first_address - last_address 
The IP address range for the SG appliance's multicast-station. Default is from 224.2.128.0 and 
224.2.255.255. 

#(config) streaming multicast port-range first_port - last port 
Port range for the SG's multicast-station. Default is between 32768 and 65535. 

#(config) streaming multicast ttl ttl 

Time to live value for the multicast-station on the SG appliance, expressed in hops. Default is 5; a valid 
number is between 1 and 255. 

#(config) streaming no max-client-bandwidth 
Clears the current maximum client bandwidth setting. 

#(config) streaming no max-gateway-bandwidth 

Clears the current maximum gateway bandwidth setting. 

#(config) streaming quicktime http-handoff {disable | enable} 

Disables or enables QuickTime HTTP handoff. 

#(config) streaming quicktime max-client-bandwidth kbps 
Sets the maximum connections allowed. 

#(config) streaming quicktime max- connections number 
Sets the maximum client bandwidth allowed. 

#(config) streaming quicktime max-gateway-bandwidth kbps 
Sets the maximum gateway bandwidth allowed. 

#(config) streaming quicktime no (max-client-bandwidth 
max- gateway- bandwidth) 

Negates QuickTime parameters. 

#(config) streaming real-media http-handoff (disable | 

Disables or enables Real Media HTTP handoff. 

#(config) streaming real-media log- forwarding (disable 
Sets Real Media client log forwarding. 

#(config) streaming real-media max-client-bandwidth kbps 

Limits the total bandwidth used by all connected clients. Changing the setting to no 
max-client-bandwidth uses the maximum available bandwidth. Zero (0) is not an accepted value 

#(config) streaming real-media max -connect ions number 

Limits the concurrent number of client connections. Changing the setting to no max-connections 
uses the maximum available bandwidth. Zero (0) is not an accepted value. 

#(config) streaming real-media max-gateway-bandwidth kbps 

Limits the total bandwidth used between the proxy and the gateway. Changing the setting to no 
max-gateway-bandwidth, uses the maximum available bandwidth. Zero (0) is not an accepted value. 



I max-connections | 

enable } 

I enable) 
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#(config) streaming 



#(config) streaming 



#(config) streaming real-media multicast {disable | enable} 

Disables or enables Real Media client multicast support. 

#(config) streaming real-media no {max-client-bandwidth | max-connections | 
max-gateway-bandwidth | refresh-interval) 

Negates Real Media parameters. 

#(config) streaming real-media refresh-interval hours 
Sets the streaming content refresh interval. 

#(config) streaming windows -media asx- rewrite number in_addr cache proto 
cache_addr [cache-port] 

Provides proxy support for Windows Player 6.4. 

If your environment does not use a Layer 4 switch or WCCP, the SG appliance can operate as a proxy for 
Windows Media Player 6.4 clients by rewriting the . asx file (which links Web pages to Windows Media 
ASF files) to point to the Windows Media streaming media cache rather than the Windows Media server. 

number can be any positive number. It defines the priority of all the asx-rewrite rules. Smaller numbers 
indicate higher priority. in_addr specifies the hostname. It can have a maximum of one wildcard 
character. cache_proto rewrites the protocol on the SG appliance and can take any of the following 
forms: 

mmsu (MMS-UDP) 
mmst (MMS-TCP) 
http (HTTP) 

mms (MMS-UDP or MMS-TCP) 

cache_addr rewrites the address on the SG appliance. 

#(config) streaming windows -media broadcast-alias alias url loops date time 
Enables scheduled live unicast or multicast transmission of video-on-demand content. 

alias must be unique, url specifies the address of the video-on-demand stream, loops specifies the 
number of times the stream should be played back. 0 means forever, date specifies the broadcast alias 
starting date. To specify multiple starting dates, enter the date as a comma-separated string, date can 
take any of the following formats: 

yyyy-mm-dd 

today 

time specifies the broadcast-alias starting time. To specify multiple starting times within the same date, 
enter the time as a comma-separated string. No spaces are permitted, time can take any of the following 
formats: 

hh : mm 

midnight, 12am, lam, 2am, Sam, 4am, Sam, Sam, 7am, Sam, 9am, 10am, 11am, noon, 
12pm, 1pm, 2pm, 3pm, 4pm, 5pm, 6pm, 7pm, 8pm, 9pm, 10pm, 11pm. 

#(config) streaming windows -media http-handoff {disable | enable) 

Allows the Windows Media module to control the HTTP port when Windows Media streaming content 
is present. The default is enabled. 

#(config) streaming windows -media live-retransmit {disable | enable) 

Allows the SG appliance to retransmit dropped packets sent through MMS-UDP for unicast. The default 
is enabled. 
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#(config) streaming 



#(config) streaming 



#(config) streaming windows-media log-compatibility {disable | enable} 

Disables or enables access log compatibility. When log-compatibility is enabled, the SG appliance 
generates the MMS log the same way as Windows Media Server does. Three fields are affected when 
log-compatibility is enabled: 

c-ip x-wm-c-ip (client address derived from client log) 

c-dns x-wm-c-dns (client hostname derived from client log) 

c-uri-stem cs-uri (use full URI instead of jusf the path) 

#(config) streaming windows-media log- forwarding (disable | enable) 

Enables or disables forwarding of fhe client log to the origin media server. 

#(config) streaming windows-media max-client-bandwidth kphs 
Sets the maximum client bandwidth permitted to kbps. 

#(config) streaming windows-media max- connections number 

Limits the concurrent number of client connections. If this variable is set to 0, you effectively lock out all 
client connections to the SG appliance. To allow maximum client bandwidth, enter streaming 
windows-media no max- connections. 

#(config) streaming windows-media max- fast-bandwidth kpbs 
Sets the maximum fast start bandwidth per player. 

#(config) streaming windows-media max-gateway-bandwidth kpbs 

Sets the maximum limit, in kilobits per second (Kbps), for the amount of bandwidth Windows Media 
uses to send requests to its gateway. If this variable is set to 0, you effectively prevent the SG appliance 
from initialing any connections to the gateway. To allow maximum gateway bandwidth, enter 

streaming windows-media no max-gateway-bandwidth. 

#(config) streaming windows-media multicast-alias alias url [preload] 

Creates an alias on the SG appliance that reflects the multicast station on the origin content server. 

#(config) streaming windows-media multicast- station name {alias \ url} ip port ttl 
Enables multicast transmission of Windows Media content from the SG appliance, name specifies the 
name of fhe alias. If musf be unique, alias can be a unicasf alias, a mulficast-alias or a broadcast alias, 
as well as a url to a live stream source, ip is an optional parameter and specifies the multicast station's 
IP address, port specifies fhe multicast station's port value address, ttl specifies the multicast-station's 
time-to-live value, expressed in hops (and must be a valid number between 1 and 255). The default ttl 
is 5. 

#(config) streaming windows-media no asx-rewrite number 
Deletes the ASX rewrite rule associated with number. 

#(config) streaming windows-media no broadcast-alias alias 
Deletes the broadcast alias rule associated with alias. 

#(config) streaming windows-media no max-client-bandwidth 

Negates maximum client bandwidth settings. 

#(config) streaming windows-media no max-connections 
Negates maximum connections settings. 

#(config) streaming windows-media no max-gateway-bandwidth 

Negates maximum gateway bandwidth settings. 

#(config) streaming windows-media no multicast-alias alias 
Deletes the multicast alias rule associated with alias. 

#(config) streaming windows-media no multicast-station name 
Deletes the multicast station rule associated with name. 

#(config) streaming windows-media no refresh-interval 

Sets the current Windows Media refresh interval to "never refresh." 
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#(config) streaming 



#(config) streaming 



#(config) streaming windows-media no server-auth-type cache_ip_address 
Clears the authentication type associated with cache_ip_address. 

#(config) streaming windows-media no unicast-alias alias 

Deletes the unicast alias rule associated with alias. The name of the alias, such as "welcomel" that is 
created on the SG appliance and reflects the content specified by the URL. The protocol is specified by 
the URL if the protocol is mmst, mmsu, or http. If the protocol is mms, the same protocol as the client is 
used. 

#(config) streaming windows-media refresh-interval hours 

Checks the refresh interval for cached streaming content, hours must be a floating point number to 
specify refresh interval. 0 means always check for freshness. 

#(config) streaming windows-media server-auth-type {basic | ntlm} cache_ip_address 
Sets the authentication type of the SG appliance indicated by cache_ip_address to BASIC or NTLM. 

#(config) streaming windows-media server-thinning (disable | enable} 

Disables or enables server thinning. 

#(config) streaming windows-media unicast-alias alias uri 

Creates an alias on the SG appliance that reflects the content specified by the URL. When a client 
requests the alias content, the SG appliance uses the URL specified in the unicast-alias command to 
request the content from the origin streaming server. 

For More Information 

□ Volume 3: Web Communication Proxies 



Example 



SGOS# (config) 


streaming 


ok 




SGOS# (config) 


streaming 


ok 




SGOS# (config) 


streaming 


ok 




SGOS# (config) 


streaming 


ok 




SGOS# (config) 


streaming 


ok 





windows-media http-handoff enable 
windows-media live-retransmit disable 
windows-media log- forwarding disable 
windows-media max- connections 1600 
windows-media no max-connections 
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#(config) tcp-ip 



#(config) tcp-ip 



#(config) tcp-ip 



Synopsis 

Use the following commands to configure your TCP-IP settings. 

Syntax 

#(config) tcp-ip icmp-bcast-echo {disable | enable} 

Enables or disables ICMP broadcast echo responses. 

#(config) tcp-ip icmp-tstamp-echo {disable | enable} 

Enables or disables ICMP timestamp echo responses. 

#(config) tcp-ip ip- forwarding {disable | enable} 

Enables or disables IP-forwarding. 

#(config) tcp-ip pmtu-discovery {disable | enable} 

Enables or disables Path MTU Discovery. 

#(config) tcp-ip rfc-1323 {disable | enable} 

Enables or disables REC-1323 support (satellite communications). 

#(config) tcp-ip tcp-newreno {disable | enable} 

Enables or disables TCP NewReno support (improved fast recovery). 

#(config) tcp-ip tcp-2msl seconds 

Specifies the time_wait value for a TCP connection before completely closing. 

#(config) tcp-ip tcp- loss -recovery-mode {aggressive | enhanced | normal} 

Helps to recover throughput efficiently after packet losses occur and also addresses performance 
problems due to a single packet loss during a large transfer over long delay pipes. The feature is disabled 
(set to normal) by default. 

#(config) tcp-ip window-size window_size 

Specifies the TCP window size for satellite communications. 

For More Information 

□ Volume 5: Advanced Networking 



Example 



SGOS# (config) 


tcp-ip 


ok 




SGOS# (config) 


tcp-ip 


ok 





ip- forwarding enable 
rfc-1323 enable 
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#(config) tcp-rtt 



#(config) tcp-rtt 



#(config) tcp-rtt 

Synopsis 

Use this command to configure the number of TCP round frip fime ficks. 

Syntax 

#(config) tcp-rtt num_500ms_ticks 

Indicates the default TCP Round Trip Time in ticks. 

For More Information 

□ Volume 5: Advanced Networking 

Example 

SGOS# (config) tcp-rtt 500 
ok 
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#(config) tcp-rtt-use 



#(config) tcp-rtt-use 



#(config) tcp-rtt-use 

Synopsis 

Use this command to enable or disable the default TCP Round Trip Time. 

Syntax 

#(config) tcp-rtt-use {disable | enable} 

Disables or enables using fixed RTT. 

For More Information 

□ Volume 5: Advanced Networking 

Example 

SGOS# (config) tcp-rtt-use enable 

ok 
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#(config) timezone 



#(config) timezone 



#(config) timezone 

Synopsis 

Use this command to set the local time zone on the SG appliance. 

Syntax 

#(config) timezone timezone_number 

Enables you to set the local time zone. (Use (config) show time zones to display a list of supported 
timezones.) 

For More Information 

□ Volume 1: Getting started 

□ # (config) clock on page 129 

Example 

SGOS# (config) timezone 3 
ok 
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#(config) upgrade-path 



#(config) upgrade-path 



#(config) upgrade-path 

Synopsis 

Use this command to specify the network path to download system software. 

Syntax 

#(config) upgrade -path uri 

Indicates the network path to use to download SG system software. 

Example 

SGOS# (config) upgrade-path 10.25.36.47 

ok 
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#(config) virtual-ip 



#(config) virtual-ip 



#(config) virtual-ip 

Synopsis 

This command allows you to configure virtual IP addresses. 

Syntax 

#(config) virtual-ip address ip_address 
Specifies the virtual IP to add. 

#(config) virtual-ip clear 
Removes all virtual IP addresses. 

#(config) virtual-ip no address ip_address 
Removes the specified virtual IP from the list. 

For More Information 

□ Volume 5: Advanced Networking 

□ #(config) failover on page 183 

Example 

SGOS# (config) virtual-ip address 10.25.36.47 

ok 
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#(config) weep 



#(config) weep 



#(config) weep 

Synopsis 

The SG appliance can be configured to participate in a WCCP (Web Cache Control Protocol) scheme, 
where a WCCP-capable router collaborates with a set of WCCP-configured SG appliance to service 
requests. WCCP is a Cisco-developed protocol. For more information about WCCP, refer to Volume 5: 
Advanced Networking. 

After you have created the WCCP configuration file, place the file on an HTTP server so it can be 
downloaded to the SG appliance. To download the WCCP configuration to the SG appliance, use the 
load command. 

Syntax 

#(config) weep disable 
Disables WCCP. 

#(config) weep enable 
Enables WCCP. 

#(config) weep no path 

Negates certain WCCP settings. 

#(config) weep path url 

Specifies the network path from which to download WCCP settings. 

For More Information 

□ Volume 5: Advanced Networking 

Example 

SGOS# (config) weep path 10 . 25 . 36 . 47/files/weep . txt 

ok 
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#(config) weep 



#(config) weep 
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